Received: by 10.192.165.148 with SMTP id m20csp4573778imm; Tue, 24 Apr 2018 05:09:53 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/T/v/mN7hl6zx2DtWm/+Nd89RVMB4mXIP63pL3DxnZK7yIGRqaodNj/AkiO5GqoNuDN8ZW X-Received: by 10.99.126.9 with SMTP id z9mr20564150pgc.437.1524571793788; Tue, 24 Apr 2018 05:09:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524571793; cv=none; d=google.com; s=arc-20160816; b=Eatr/KrJbtBZbjK8Eevl+MecgPS/ALC0YLjfHIU+5GESQDF2/CmC0DFmKYcHKaaNqp btBAoc9NFNJ1qZfYC7EiY73fYct6iojC0iUgkmGW+T0La7JjlZkBQ0TgXnWDbyEXCYfC j1pi5oDQO4Jr9SqMF2ex8nhJeN8CdfPNark37M3X7SfttxvPnJRahNSzMoIZWteGaJhy ZKczUDvanc0JDkLygjLRv/PYKCnwswewIeRJ5JpO1nfAsE3wpJ7vEgX4vD9SwCjSJe+l ram5JSeuNzqABDlLuUfu3JsPHzt69RATzolwig4yQXqXFDkpj/E1EA/luVo3ICIOOm9I RoZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=tk/aEFqRYwulRUZG1/JGPBsZGw6SiEnBJhWbWWSpQLo=; b=ksrqDOMvk0KBTEZmt7ukYoQQ+8L7wVMJiQf4hmyLWv8beETIFZDxP695JudcFVBhdJ /dGfWepJ7IGQELNcfeNVdB9fzOueCvyKh9KPdwwUuvlBEEjuFC8DHvXkqpz7bryHCbMO awFRPHTYNEKyjWfxgqX495f78MsE1AgPIkgDa3C7gt/cB/3wwWwlmXVxCeu+IK8NWg85 mMK3MBYGkIAL4Q4JpUFsGds28/7a/tYT1w4Z+dqz3VSAms+juwMnwG4s2Qckp1STpjZ0 NicT3WaGpTZjZvLTLgalk6rfnCcqzsrnQKDG493u6eZol0bBvrDiHDlh4J9CyA4azjiM MXaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=tJPm59zw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b3-v6si14236834pld.2.2018.04.24.05.09.39; Tue, 24 Apr 2018 05:09:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=tJPm59zw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755463AbeDXJfl (ORCPT + 99 others); Tue, 24 Apr 2018 05:35:41 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:45694 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753057AbeDXJfh (ORCPT ); Tue, 24 Apr 2018 05:35:37 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w3O9V38E016993; Tue, 24 Apr 2018 09:35:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2017-10-26; bh=tk/aEFqRYwulRUZG1/JGPBsZGw6SiEnBJhWbWWSpQLo=; b=tJPm59zwb2VGB252fNGxH7Cg2NWW2BXEhdvZ28JrCXkO46kbLqs3JyT1fMG7J4d4Fpt0 vDforS7d9DK3AyTKlxJeiNazxRypldMlXDiIMd3U/UZS1tTIwDpI8KU7wVGlbOjlMQ7Y 7DOxieslF2N4GvUFbwUbCfevzOUTGbPpT+gPs7+cFJ0MAathhwpM2AV+tN/FoXdRZ+br Iw2I/gIQljpnboa0NnwebDTkl0+3DazTyTX9LlXcgRNohhzPFIgGRWWXq1cK7YFHGNVr Dbbl0QehcOYPf50Lu9iF5yqxkfY8rRt+Q8Wv2frU64t4wPuNkz9W1QPOayvWcxMjv/+d XQ== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2120.oracle.com with ESMTP id 2hfwy9h3eg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 24 Apr 2018 09:35:09 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w3O9Z8ML028181 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 24 Apr 2018 09:35:08 GMT Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w3O9Z8e7000896; Tue, 24 Apr 2018 09:35:08 GMT Received: from mwanda (/197.254.35.146) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 24 Apr 2018 02:35:07 -0700 Date: Tue, 24 Apr 2018 12:35:00 +0300 From: Dan Carpenter To: Mauro Carvalho Chehab Cc: "Gustavo A. R. Silva" , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Peter Zijlstra Subject: Re: [PATCH 01/11] media: tm6000: fix potential Spectre variant 1 Message-ID: <20180424093500.xvpcm3ibcu7adke2@mwanda> References: <3d4973141e218fb516422d3d831742d55aaa5c04.1524499368.git.gustavo@embeddedor.com> <20180423152455.363d285c@vento.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180423152455.363d285c@vento.lan> User-Agent: NeoMutt/20170609 (1.8.3) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8872 signatures=668698 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=3 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804240093 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mauro, I saw your comment on LWN. You argue on LWN that since the format array is static the CPU won't speculatively read past the L1 cache? I don't know if that's true. It should be easy enough to filter out the reads into static arrays. Peter do you know the answer here? regards, dan carpenter On Mon, Apr 23, 2018 at 03:24:55PM -0300, Mauro Carvalho Chehab wrote: > Em Mon, 23 Apr 2018 12:38:03 -0500 > "Gustavo A. R. Silva" escreveu: > > > f->index can be controlled by user-space, hence leading to a > > potential exploitation of the Spectre variant 1 vulnerability. > > > > Smatch warning: > > drivers/media/usb/tm6000/tm6000-video.c:879 vidioc_enum_fmt_vid_cap() warn: potential spectre issue 'format' > > > > Fix this by sanitizing f->index before using it to index > > array _format_ > > > > Notice that given that speculation windows are large, the policy is > > to kill the speculation on the first load and not worry if it can be > > completed with a dependent load/store [1]. > > > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > > > Cc: stable@vger.kernel.org > > Reported-by: Dan Carpenter > > Signed-off-by: Gustavo A. R. Silva > > --- > > drivers/media/usb/tm6000/tm6000-video.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c > > index b2399d4..d701027 100644 > > --- a/drivers/media/usb/tm6000/tm6000-video.c > > +++ b/drivers/media/usb/tm6000/tm6000-video.c > > @@ -26,6 +26,7 @@ > > #include > > #include > > #include > > +#include > > > > #include "tm6000-regs.h" > > #include "tm6000.h" > > @@ -875,6 +876,7 @@ static int vidioc_enum_fmt_vid_cap(struct file *file, void *priv, > > if (f->index >= ARRAY_SIZE(format)) > > return -EINVAL; > > > > + f->index = array_index_nospec(f->index, ARRAY_SIZE(format)); > > Please enlighten me: how do you think this could be exploited? > > When an application calls VIDIOC_ENUM_FMT from a /dev/video0 device, > it will just enumerate a hardware functionality, with is constant > for a given hardware piece. > > The way it works is that userspace do something like: > > int ret = 0; > > for (i = 0; ret == 0; i++) { > ret = ioctl(VIDIOC_ENUM_FMT, ...); > } > > in order to read an entire const table. > > Usually, it doesn't require any special privilege to call this ioctl, > but, even if someone changes its permission to 0x400, a simple lsusb > output is enough to know what hardware model is there. A lsmod > or cat /proc/modules) also tells that the tm6000 module was loaded, > with is a very good hint that the tm6000 is there or was there in the > past. > > In the specific case of tm6000, all hardware supports exactly the > same formats, as this is usually defined per-driver. So, a quick look > at the driver is enough to know exactly what the ioctl would answer. > Also, the net is full of other resources that would allow anyone > to get the supported formats for a piece of hardware. > > Even assuming that the OS doesn't have lsusb, that /proc is not > mounted, that /dev/video0 require special permissions, that the > potential attacker doesn't have physical access to the equipment (in > order to see if an USB board is plugged), etc... What possible harm > he could do by identifying a hardware feature? > > Similar notes for the other patches to drivers/media in this > series: let's not just start adding bloatware where not needed. > > Please notice that I'm fine if you want to submit potential > Spectre variant 1 fixups, but if you're willing to do so, > please provide an explanation about the potential threat scenarios > that you're identifying at the code. > > Dan, > > It probably makes sense to have somewhere at smatch a place where > we could explicitly mark the false-positives, in order to avoid > use to receive patches that would just add an extra delay where > it is not needed. > > Regards, > Mauro