Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp995549imm; Fri, 27 Jul 2018 09:27:10 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdIajS/UTa+7F2NqpY2YnXUSSV6gO2W1Z1ewjSXneGE5C3TRS2bTfkxzx6kaFnlSdff/jpP X-Received: by 2002:a63:ee4e:: with SMTP id n14-v6mr6871926pgk.159.1532708830425; Fri, 27 Jul 2018 09:27:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532708830; cv=none; d=google.com; s=arc-20160816; b=oNtSXiiKPOjpn7FjOj+uK6oDEb+KOU95f4gj0XenCgWSqIWdAUeO4f15ZyqjxmxeHN r59HN45SKWG6FZc+LazP8JAZBc2gOfH0fZb7LtOlWlFkbzE+be3XocXEyPqhxAIpxt+m VK1vHQmvixTIg4vqh02S2jcZlv9iI66zvEsQukhl4yC9JSI4JNpaKU7flDDmcGp8Wo/h eWeS0b8/A1KSzihqnebF2pa54tFnRiNOfhQP2QmYPlqL8flqBtDxxw1gQg9W0YD+5Gsb NKOQ8HDHTOuHi0LN6wUugDvhMbxGUHyWBK+KkkSSDTEWGMAgIPZLpxQU7zlIIeNkLAO7 mWrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=iIFGek2TeGaOl6TdxTq+XC8TXnIhRl2UfHIJFNsmdc8=; b=UEvokLKIeXv+qfRxfZV47OQG2MfFre80R/UyddrV/4YfdUKn7ldNmBLyA4N+tUTS/5 1mn6RlFGwVk5wsrPZbMviUmoyOYbdLBIJ2b76VJkto0ZhmsWROskpp9+QOYwnrVhFgqI wFAAILqfLI7Rw9eSFIhwNUI1/QvFpd4C/jilFei9qIdjmhLGSOJs1hAhCtTdE7Ed0LYX 3CgDij/KkIW+ovtIl7jZayC+EjJeh4kt7fQisYUWVGi8oXk0TyRqJ3O6NKDNcA2v060i +C+ZF41zGpxrktXQWimTmKukASTl8D8uZMNFUoC9dJe0zgrgcC+VIdx+6SxixptnDgzi E4rA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m192-v6si4028072pga.398.2018.07.27.09.26.56; Fri, 27 Jul 2018 09:27:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388871AbeG0RsF (ORCPT + 99 others); Fri, 27 Jul 2018 13:48:05 -0400 Received: from mail-qk0-f196.google.com ([209.85.220.196]:35863 "EHLO mail-qk0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388822AbeG0RsF (ORCPT ); Fri, 27 Jul 2018 13:48:05 -0400 Received: by mail-qk0-f196.google.com with SMTP id a132-v6so3638206qkg.3 for ; Fri, 27 Jul 2018 09:25:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=iIFGek2TeGaOl6TdxTq+XC8TXnIhRl2UfHIJFNsmdc8=; b=Q5oZ9CLMyut2YVpHq7VkNlmiGKYPkhtFnTZXjAUBZhmJqxuzuKsvF+TZWGdp6sdO0C EyIiGOUCqjY08hOlesDBhbWHkJowck+/F3WB++t44fuOXTD3VuOiQQbMxANsa5RI34sc h1XGHPbMJJddz2S1PXYe+WTz5+IWaPtIn83TbobQa7DKjE+TkB+FLmC0bSkkzYSCchTp sv+/Rd18Xk+Umc7UR1XkpDWBuCoBx0/5WPBfFvub57qiESgnAwtqVQKofVQNQL7axHoW vg2P5Xh7RZklWQBK6le9WwZj0YZHQIQrpOLlGJwgbNZOpdeJsDr8N4x86cS3Fq5a2p/r RW5w== X-Gm-Message-State: AOUpUlF+gzt5FNYidS66pu/mUQbKPrQ9m3BE7fM0lHTq4SKU2wpp63A2 INZAF1yjz7Tjl93Z/GZN4pUPlg== X-Received: by 2002:a37:d197:: with SMTP id o23-v6mr6563761qkl.210.1532708726931; Fri, 27 Jul 2018 09:25:26 -0700 (PDT) Received: from builder.jcline.org.com ([2605:a601:80ce:4700:77a5:8983:ea8b:82ec]) by smtp.gmail.com with ESMTPSA id s73-v6sm3137342qkl.65.2018.07.27.09.25.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 27 Jul 2018 09:25:26 -0700 (PDT) From: Jeremy Cline To: Theodore Ts'o , Andreas Dilger Cc: Josh Poimboeuf , linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, Jeremy Cline , stable@vger.kernel.org Subject: [PATCH 3/3] ext4: mballoc: Fix spectre gadget in ext4_mb_simple_scan_group Date: Fri, 27 Jul 2018 16:23:57 +0000 Message-Id: <20180727162357.30801-4-jcline@redhat.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180727162357.30801-1-jcline@redhat.com> References: <20180727162357.30801-1-jcline@redhat.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 'ac->ac_2order' is a user-controlled value used to index into 'grp->bb_counters' and based on the value at that index, 'ac->ac_found' is written to. Clamp the value right after the bounds check to avoid a speculative out-of-bounds read of 'grp->bb_counters'. This also protects the access of the s_mb_offsets and s_mb_maxs arrays inside mb_find_buddy(). These gadgets were discovered with the help of smatch: * fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential spectre issue 'grp->bb_counters' [w] (local cap) * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue 'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap) * fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue 'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap) Cc: Josh Poimboeuf Cc: stable@vger.kernel.org Signed-off-by: Jeremy Cline --- fs/ext4/mballoc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index f7ab34088162..c0866007a949 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -1893,6 +1894,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, BUG_ON(ac->ac_2order <= 0); for (i = ac->ac_2order; i <= sb->s_blocksize_bits + 1; i++) { + i = array_index_nospec(i, sb->s_blocksize_bits + 2); if (grp->bb_counters[i] == 0) continue; -- 2.17.1