Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1565533imm; Fri, 27 Jul 2018 21:22:03 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeCAh4EqN7DdgR55EOD8448dxz8ZPY6LkEld36Y01uqRHeCdzJ9nJnRpvWv+/R5X/5Uu7OD X-Received: by 2002:a65:60cf:: with SMTP id r15-v6mr8411635pgv.41.1532751723445; Fri, 27 Jul 2018 21:22:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532751723; cv=none; d=google.com; s=arc-20160816; b=XbybRu9e1Hts/iJ8vPM0z+kJ1ol7XUn0HOajdqHEB7OtFFCSAQsgk/NAMfuUZHnx+e MXMojmnYUQ8QnDdeFJdDtUH/4HvkfwkI606thRwlvIL5JxDnYDuK/hpoJZyJeF4fm3nS oXuH+pU7BQIA6Jz+hvXWKMIiG3PbXig+5VzgNkZ8wr5r7tNXzPS2putxnulzyVbRZFAW A/kpcASj74jItCasyYFQ+4JfjLBmrE8TO2nNdfcyAiJ3e68pwd3fxMa7IIsWHuJT0dIV 79gOxjJ7+wF3/7Lj7+ipYAYv5vQaJKgbYLi2cfRblWzhms7+LbWdwCp9CIqXX3/eoaSs Ahfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=l73sYXufoVXsSgz5wAueDRXj8K1+OAjg3R9harSih44=; b=Ih4qMC+9yIfEY7dPqhRN3Q3r/2k57Mv6GN46iSnYr/yztBF2lD9g1Y4U/uvlA806p1 2t3pFi2dIuuYvO+raLYd28lA4TMCdkB3MAxXZ4GOhId5Z42YAj06f7vX9QGWxWZInt/y 4Ny/1/kujtWKSM2bxaU2xCaXIvdOUHH7bHovPW9k/pg3ga7lY8duUVGx9JLx5pZQpjdX l6mW6jDQzHyFND873zhmw/JvcWfwBduW9IhSxKfecXNm0Jmp7rbLZ8c1fVp03iiXDzdM 3/WsgcqFxc7MTWTEGKNsZVsF9UO93Y6aplvnHjBm1mStgbhIHDIVc4qKr8imC3yLNIYJ kijA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=mQ5YwcJE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j14-v6si5181855pgh.22.2018.07.27.21.21.47; Fri, 27 Jul 2018 21:22:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=mQ5YwcJE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726213AbeG1Fp6 (ORCPT + 99 others); Sat, 28 Jul 2018 01:45:58 -0400 Received: from mail-pl0-f50.google.com ([209.85.160.50]:40142 "EHLO mail-pl0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726004AbeG1Fp6 (ORCPT ); Sat, 28 Jul 2018 01:45:58 -0400 Received: by mail-pl0-f50.google.com with SMTP id s17-v6so3126507plp.7; Fri, 27 Jul 2018 21:21:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=l73sYXufoVXsSgz5wAueDRXj8K1+OAjg3R9harSih44=; b=mQ5YwcJEfOjMJbc1YEPqtRvOZLEow7dY0KBkdAkNvHv7333xwIKJC1yEO7fdYPhLOv AnErfLQlPbz+GuBWBLiOEk/YYHrEv4amelxo6Job3Nd7DnZIhEAR5dlPwDvnY/Ubhp70 7DX+Oq8qJLhvbbT6mwtWEg2Wc+l7FyLlv9sYwq5iaLwwr+v1SgVZo4WM8Ls3KEBlOZ7U r6d3t+52A3tmwj6POAFVKvTYaakYp1oUITK5VeV3cykm5gNMsnNbccKhnD+Gq7bCTA5H oHfbO4jXx2wKqyW7dpWwgn+mMAl1x0uVLDTa0iwdHsaMR654INCXpg3TTT4PY6X8mGGg wFwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=l73sYXufoVXsSgz5wAueDRXj8K1+OAjg3R9harSih44=; b=bX8MPsAHQOcjl1fc9FVSP8aNy/pmRAcndaUM9a1V6sTZORjPZ1njm+SSfw/KnYY4t0 ldEXRIRCym6BGvQcQTp2wuezS2ot6WSMZ8uxkj1MlCYZUOQYhrhJsKpUetP3vDFabNCK aclUdOaqfEj6jPwPnIN1BYHt5tAfPM2DYrXS3CWXMcyUCRTMZh5mj9HFEDDLl3hqmPL9 0oqD3xNbferdOCTGuiKyNudv2m/Z4avVkqJMFNDXlySQLPCtyYi1Osmz2822FKd6vh9o 8fTiPWYhvAaepIkBqS5cwF/8I+YQr0tUaSiKdOWPpK/be0+8IWjR8kG1OqR+1mdne+cd 6tPw== X-Gm-Message-State: AOUpUlHaaGdqhslPpcCt42XbtBdgu2V4CXpX9t3FDSyJMYD7R2w7F6Gg 2HY3kNgPUVvRvfTVmI9+Ts6gCv7y X-Received: by 2002:a17:902:44a4:: with SMTP id l33-v6mr8405579pld.134.1532751660753; Fri, 27 Jul 2018 21:21:00 -0700 (PDT) Received: from pjb1027-Latitude-E5410 ([58.227.15.43]) by smtp.gmail.com with ESMTPSA id c85-v6sm11159342pfd.110.2018.07.27.21.20.51 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Fri, 27 Jul 2018 21:21:00 -0700 (PDT) Date: Sat, 28 Jul 2018 13:20:44 +0900 From: Jinbum Park To: axboe@kernel.dk, bart.vanassche@wdc.com, jiufei.xue@linux.alibaba.com, gustavo@embeddedor.com Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3] pktcdvd: Fix possible Spectre-v1 for pkt_devs Message-ID: <20180728042044.GA3571@pjb1027-Latitude-E5410> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org User controls @dev_minor which to be used as index of pkt_devs. So, It can be exploited via Spectre-like attack. (speculative execution) This kind of attack leaks address of pkt_devs, [1] It leads an attacker to bypass security mechanism such as KASLR. So sanitize @dev_minor before using it to prevent attack. [1] https://github.com/jinb-park/linux-exploit/ tree/master/exploit-remaining-spectre-gadget/leak_pkt_devs.c Signed-off-by: Jinbum Park --- v3: work from latest linux-next tree drivers/block/pktcdvd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c index a4b4d52..9bb7721 100644 --- a/drivers/block/pktcdvd.c +++ b/drivers/block/pktcdvd.c @@ -67,7 +67,7 @@ #include #include #include - +#include #include #define DRIVER_NAME "pktcdvd" @@ -2254,6 +2254,8 @@ static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor) { if (dev_minor >= MAX_WRITERS) return NULL; + + dev_minor = array_index_nospec(dev_minor, MAX_WRITERS); return pkt_devs[dev_minor]; } -- 1.9.1