Received: by 10.192.165.148 with SMTP id m20csp3737125imm; Mon, 23 Apr 2018 11:26:32 -0700 (PDT) X-Google-Smtp-Source: AIpwx49VeJVYStxkywniTlnnwz+Uee+qWbpgkm4pXa7jt8MB6PxCoxKiiTa2eJIA25D1y10YUnzu X-Received: by 10.99.125.19 with SMTP id y19mr17814183pgc.160.1524507992291; Mon, 23 Apr 2018 11:26:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524507992; cv=none; d=google.com; s=arc-20160816; b=iPEBjvTgSBtI4Mchsquio3Js8mY3BBHqPKo5SJKPvJLA/OOZXLRkwC/5nT+KqTB5hL kRdcPCeruw3zFMkJz2pd8wEOzJWO4vMFQ1v05i43FgH40CL9T9lfxvePQqbL9rWcIFyz oLRNhbZhOAbrCPXuTB2GQGrUZJEAQepzLDiEfDz/6cAGJY6bbB+I4zVTdYRm6HqQaw3r 81IRmLQlsht4hbDXStIvBvvcXfbNK6E6+xSKoRArWvBCIadQDbmoSB9KlzSPFy+uKhhF M8BSOq7hrrq2SB1Kgdhq6JQt3oPXlyknTFhogy07G4WkJIFcFn2bL3PkgLZvZVw4U2h1 PAsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=Lg6dyBQGLuyccbzoDH90L8sY2BoqkeznfuDokce38Bw=; b=JWdWTtMf7rue73UyjLDB5ylbM0PoegiJtX6qfZkscnKlsoI0SRPwBx4liCP6E+WdBQ cZllmSiapZNoCr3u/qxFH4vPCRjdULCNuG5hCtxFOtwYew05dD8Jgu2hk+kOIap6waw6 7W0/3xbUhhBrVZ1mIkfHkO2yZFirTx2vvCsPbi3tNyTjYTyRNR4uSs6BA9dwLJwxXVNX t+/+LPI/Oa55HzI4HswMnlCFCE1dQAAVVc6bS8ostL550Px/MpNwbRKm3s6p7lRpW22m PQUzBSCbgjnLX0q4Ta3oBbOTdKyFnXVMh4VqC4XRbi4sWCiYC8Ld7aCov1UHm5iylast ic/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=VtOGkLxy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c16si9788834pgv.574.2018.04.23.11.26.17; Mon, 23 Apr 2018 11:26:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=VtOGkLxy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932301AbeDWSZL (ORCPT + 99 others); Mon, 23 Apr 2018 14:25:11 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:54122 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932085AbeDWSZI (ORCPT ); Mon, 23 Apr 2018 14:25:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To: From:Date:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Lg6dyBQGLuyccbzoDH90L8sY2BoqkeznfuDokce38Bw=; b=VtOGkLxyJbmT6w3mgCeIkiIpb 330s+1Q3qkU+8a9awN+AnXgN2lM45wHzO6O02lhvITNE4ly6i48kzz/9HdpNTK/aLgzMwioAJ3QRx XtTm90rX7901VyPL35qSRFBoIuaBSi350Xox6bHUEBJwLWSakGhOxi+iskuH3Bcqr/g1Z5624kInJ KOrRhksYKUBbO0Lfz7+C6SSyaLWNDagqPVs/HeN3lJTDIKN2qTv8nORncxAmFFtjUH+0YQjecsM90 51sZcGGy+buRIwe3smsuMPsBjlRhtmSGLa9QUa4AX/djusxw5gxsZBnXzJwz/TlavjGTzScItzZeh jwNvMEiFw==; Received: from 177.18.30.209.dynamic.adsl.gvt.net.br ([177.18.30.209] helo=vento.lan) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fAg99-0001r2-M1; Mon, 23 Apr 2018 18:25:04 +0000 Date: Mon, 23 Apr 2018 15:24:55 -0300 From: Mauro Carvalho Chehab To: "Gustavo A. R. Silva" , Dan Carpenter Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 01/11] media: tm6000: fix potential Spectre variant 1 Message-ID: <20180423152455.363d285c@vento.lan> In-Reply-To: <3d4973141e218fb516422d3d831742d55aaa5c04.1524499368.git.gustavo@embeddedor.com> References: <3d4973141e218fb516422d3d831742d55aaa5c04.1524499368.git.gustavo@embeddedor.com> X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Em Mon, 23 Apr 2018 12:38:03 -0500 "Gustavo A. R. Silva" escreveu: > f->index can be controlled by user-space, hence leading to a > potential exploitation of the Spectre variant 1 vulnerability. > > Smatch warning: > drivers/media/usb/tm6000/tm6000-video.c:879 vidioc_enum_fmt_vid_cap() warn: potential spectre issue 'format' > > Fix this by sanitizing f->index before using it to index > array _format_ > > Notice that given that speculation windows are large, the policy is > to kill the speculation on the first load and not worry if it can be > completed with a dependent load/store [1]. > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > Cc: stable@vger.kernel.org > Reported-by: Dan Carpenter > Signed-off-by: Gustavo A. R. Silva > --- > drivers/media/usb/tm6000/tm6000-video.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c > index b2399d4..d701027 100644 > --- a/drivers/media/usb/tm6000/tm6000-video.c > +++ b/drivers/media/usb/tm6000/tm6000-video.c > @@ -26,6 +26,7 @@ > #include > #include > #include > +#include > > #include "tm6000-regs.h" > #include "tm6000.h" > @@ -875,6 +876,7 @@ static int vidioc_enum_fmt_vid_cap(struct file *file, void *priv, > if (f->index >= ARRAY_SIZE(format)) > return -EINVAL; > > + f->index = array_index_nospec(f->index, ARRAY_SIZE(format)); Please enlighten me: how do you think this could be exploited? When an application calls VIDIOC_ENUM_FMT from a /dev/video0 device, it will just enumerate a hardware functionality, with is constant for a given hardware piece. The way it works is that userspace do something like: int ret = 0; for (i = 0; ret == 0; i++) { ret = ioctl(VIDIOC_ENUM_FMT, ...); } in order to read an entire const table. Usually, it doesn't require any special privilege to call this ioctl, but, even if someone changes its permission to 0x400, a simple lsusb output is enough to know what hardware model is there. A lsmod or cat /proc/modules) also tells that the tm6000 module was loaded, with is a very good hint that the tm6000 is there or was there in the past. In the specific case of tm6000, all hardware supports exactly the same formats, as this is usually defined per-driver. So, a quick look at the driver is enough to know exactly what the ioctl would answer. Also, the net is full of other resources that would allow anyone to get the supported formats for a piece of hardware. Even assuming that the OS doesn't have lsusb, that /proc is not mounted, that /dev/video0 require special permissions, that the potential attacker doesn't have physical access to the equipment (in order to see if an USB board is plugged), etc... What possible harm he could do by identifying a hardware feature? Similar notes for the other patches to drivers/media in this series: let's not just start adding bloatware where not needed. Please notice that I'm fine if you want to submit potential Spectre variant 1 fixups, but if you're willing to do so, please provide an explanation about the potential threat scenarios that you're identifying at the code. Dan, It probably makes sense to have somewhere at smatch a place where we could explicitly mark the false-positives, in order to avoid use to receive patches that would just add an extra delay where it is not needed. Regards, Mauro