Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4798268imm; Mon, 30 Jul 2018 23:41:18 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdYWBqcZuhC1B4HCH5enOVRUx+NRUpcOGbRzsbe64hO1aOjYkjQ6UjCBlmRD+QAaIwuivEd X-Received: by 2002:a63:5815:: with SMTP id m21-v6mr18813300pgb.78.1533019278766; Mon, 30 Jul 2018 23:41:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533019278; cv=none; d=google.com; s=arc-20160816; b=nqd5yDD3l21OoiT8eLbABQlQfSoG7hNJdvtfoq9m0+eOD2dtpPKdoQnKmyuAMRWCHn LP4p0AtrQVHi+jmfehMaTtX8Z9lanUlGXTUUTBBhzudtI6vhrvJyTQfNNnEA13y4UdOx x72+E1mgxE0MilqBVGonP/lg/carGu33jafdAITQ35/n0KR1X8eljDlpa13hjoxwSzzX QaMtYJgYMjUph2WOqnzAdJZHlN4IbrcJpdiq4P3tlXXLz063lNB1HFMmpHaeOxeeCC/y b24VUmPaYx/0LNVmvTLtZYZIitzS/7iHuq5IBeQXmX+K2pOmFzTDhOCkW8gZF25VwrnO jkDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:to:cc:in-reply-to:date:subject :mime-version:message-id:from:dkim-signature :arc-authentication-results; bh=WOSrughz8sHEt+Ic1xQG2QZB6nVIIH2vVO5/u2/GqAQ=; b=UDhy8HT6H954RamcGAr89oAvsjUBCcma6JpHuDQg65PSbZoIsXS3WAGM9+6FZmU7ab z5yjy6drIDZoxh/kSO8nmz0JA5tsg9HdZ9kRSDIILPBwhESxVe+2Y9o2Rk53f8kKtDG1 qbjspO7yd4dIzcL+7a2BJDEF830pwkQ5OVHRkzxZNma+gv2gT6NphGPVWuMuOLyP1RV7 ZSkWWiZG4h1Jl4neCgZcMexnDrQbF4AgqHAeJDTw8iPv4mj5LDY1MD9xvEv9eedMGDo3 FjWa2zTTWviEbRxUc8psPu+/8wF/S1/4+1H/gogCY+mt+4ht87RKG+635xj+1+nQfFkA kc+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dilger-ca.20150623.gappssmtp.com header.s=20150623 header.b=sPTBV7Fp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k184-v6si11776030pge.209.2018.07.30.23.41.04; Mon, 30 Jul 2018 23:41:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@dilger-ca.20150623.gappssmtp.com header.s=20150623 header.b=sPTBV7Fp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729777AbeGaISY (ORCPT + 99 others); Tue, 31 Jul 2018 04:18:24 -0400 Received: from mail-io0-f195.google.com ([209.85.223.195]:41742 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727524AbeGaISX (ORCPT ); Tue, 31 Jul 2018 04:18:23 -0400 Received: by mail-io0-f195.google.com with SMTP id q9-v6so12024140ioj.8 for ; Mon, 30 Jul 2018 23:39:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dilger-ca.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=WOSrughz8sHEt+Ic1xQG2QZB6nVIIH2vVO5/u2/GqAQ=; b=sPTBV7FpO5bHL7NV2o0/IA0hMTzEFoFdln1W6/GxDGjKmd9HC8qQIKjQtdpiVA+fV5 hsIXjYGSAf97vd1CvRYIZC/L+8VfyoHOxgXbPZfPNIvsyh8VzKOT7QWmbQ/4F/po2HMV RRdA6wvjnnWqLtKY6gfEKWm++LMpC4sRaTJRp63oJZsW0fMu3hMvjkCXftrCesI/USTu 8QenVFxgSRbwBpGGVVxUgS+ogeqF2euHGzfFIgvlhaeTBJH5y+0vtqzDEDpBrFM74Cnr REwmoTg1gzx7c4xN7kY8EATTTAvlhHb/g1sAhbO03kTyoHQbL3BFMrNtLPxy5OA9VFeE 5LZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=WOSrughz8sHEt+Ic1xQG2QZB6nVIIH2vVO5/u2/GqAQ=; b=D96jaiKYw7NBE5k9GuerCybCIDZx/VGYLBK5WLk6rZHcEdVUkD0O81iY2i+HNVPyMm Fsa3EkvzVzCRoIoFX60UZMaHCP0FTKTNfgvpIp0q75kENgUDCVNZSSyvKHgfutSk6vsF 95EuhT7SHkV5ZgjpLfOJMEIkWcdCm5XC578ONHcwzVfDNiE6jpKOlN8rDMuSY9c9B/U4 Cd/TJiGePf32GWRYQU0YyiPtgS+ZLLTT2UJpkxgxzXrH9mOWeOGCvARGbW2qxyTRCviS jYX66FtDBJ5sCZldkAQsjGKc3LN6FXtXbkk8ldmpixHtcU3PCO0k/n3Fv6GRwBSW8Hku GNMw== X-Gm-Message-State: AOUpUlF1Z+FmtvvX4d9obN/ioQYIvIhyDeeNcOgaPKvM6utQao1iijHV NXdz0ufkbs8Ykp6T9PEEEWIz9g== X-Received: by 2002:a6b:8c41:: with SMTP id o62-v6mr15948550iod.84.1533019178604; Mon, 30 Jul 2018 23:39:38 -0700 (PDT) Received: from cabot.hitronhub.home (S0106bc4dfb596de3.ek.shawcable.net. [174.0.67.248]) by smtp.gmail.com with ESMTPSA id b81-v6sm842901itg.6.2018.07.30.23.39.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Jul 2018 23:39:37 -0700 (PDT) From: Andreas Dilger Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_10DC5A89-BDD9-4578-B2E7-CA670E54AF27"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [PATCH 1/3] ext4: super: Fix spectre gadget in ext4_quota_on Date: Tue, 31 Jul 2018 00:39:41 -0600 In-Reply-To: <20180727174654.bnooz26puuo7456w@treble> Cc: Jeremy Cline , Theodore Ts'o , linux-ext4 , Linux Kernel Mailing List , stable@vger.kernel.org To: Josh Poimboeuf References: <20180727162357.30801-1-jcline@redhat.com> <20180727162357.30801-2-jcline@redhat.com> <20180727174654.bnooz26puuo7456w@treble> X-Mailer: Apple Mail (2.3273) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --Apple-Mail=_10DC5A89-BDD9-4578-B2E7-CA670E54AF27 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Jul 27, 2018, at 11:46 AM, Josh Poimboeuf = wrote: >=20 > On Fri, Jul 27, 2018 at 04:23:55PM +0000, Jeremy Cline wrote: >> 'type' is a user-controlled value used to index into 's_qf_names', = which >> can be used in a Spectre v1 attack. Clamp 'type' to the size of the >> array to avoid a speculative out-of-bounds read. >>=20 >> Cc: Josh Poimboeuf >> Cc: stable@vger.kernel.org >> Signed-off-by: Jeremy Cline >> --- >> fs/ext4/super.c | 2 ++ >> 1 file changed, 2 insertions(+) >>=20 >> diff --git a/fs/ext4/super.c b/fs/ext4/super.c >> index 6480e763080f..c04a09b51742 100644 >> --- a/fs/ext4/super.c >> +++ b/fs/ext4/super.c >> @@ -40,6 +40,7 @@ >> #include >> #include >> #include >> +#include >> #include >> #include >>=20 >> @@ -5559,6 +5560,7 @@ static int ext4_quota_on(struct super_block = *sb, int type, int format_id, >> if (path->dentry->d_sb !=3D sb) >> return -EXDEV; >> /* Journaling quota? */ >> + type =3D array_index_nospec(type, EXT4_MAXQUOTAS); This check just papers over the issue, but AFAICS doesn't actually solve any problems. It ends up squashing an invalid value to be the same as EXT4_MAXQUOTAS, rather than returning an error to the caller as it should. >> if (EXT4_SB(sb)->s_qf_names[type]) { >> /* Quotafile not in fs root? */ >> if (path->dentry->d_parent !=3D sb->s_root) >=20 > Generally we try to put the array_index_nospec() close to the bounds > check for which it's trying to prevent speculation past. >=20 > In this case, I'd expect the EXT4_MAXQUOTAS bounds check to be in > do_quotactl(), but it seems to be missing: >=20 > if (type >=3D (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS)) > return -EINVAL; Agreed that this should be checked at the highest layer possible. IMHO, this means one check in the VFS/quota layer, and a separate check in the filesystem layer. > Also it looks like XQM_MAXQUOTAS, MAXQUOTAS, and EXT4_MAXQUOTAS all = have the same value (3). Maybe they can be consolidated to just use > MAXQUOTAS everywhere? No, the filesystem-specific MAXQUOTAS values were separated from the kernel MAXQUOTAS value for a good reason. This allows some filesystems to support new quota types (e.g. project quotas) that not all other filesystems can handle. This may potentially change again in the future, so they shouldn't be tightly coupled. > Then the nospec would be simple: >=20 > if (type >=3D MAXQUOTAS) > return -EINVAL; > type =3D array_index_nospec(type, MAXQUOTAS); >=20 > Otherwise I think we may need to disperse the array_index_nospec calls > deeper in the callchain. >=20 > -- > Josh Cheers, Andreas --Apple-Mail=_10DC5A89-BDD9-4578-B2E7-CA670E54AF27 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCAAdFiEEDb73u6ZejP5ZMprvcqXauRfMH+AFAltgBC4ACgkQcqXauRfM H+Cu6xAAs5ILnj4vwZJw2+rJDtGADMRHQJO0tvEuhc6ual0yh6SVi8DH92s8Z3gd u3omxJCNQNlQamxys9VBUDaUOHbJOt1EvZzlvp6stmEHPHkJ6othYZB7i5octvAO HboxA2dhE1bFHfizcs9eYM6BtyzJ+xtNixyG+MUMJQZf+v4KNWm8YaQYOkKtJ5YS 9XWA5sS8Gcds4Jn+ZEWWETaJrjdKf4I3olsO2DHdwrCUirvkN0NRB5l/of29bYWs tPddwKz3pZWQOkIFOnF6tIMgE7ViFHPjsd8I/CPo6kM6L2ngbFb9jbIBp0ZWIm9i BmDPua2UbxMmkgnKzswuO/M0libkTvOyDEJ3/q1g+wdfnD1etLD+5dmxwdS0ZddI I8qMNypv4LJmD+1ty4UHuBg9gD8Nwu8cUmgCOZqFKJ3ZaVF/JOaz2I8d25UYar1c c6Mu8xlBPd6itP4wom5KXG9a7kE6eINXwOXGsPcHhj485LMei4z6rkRrpPL+hzDM /4fi9/3mFPd+ZS6oi8trE4Hf706CHZqtpD0vFsOYKyxIMPPf1p3fHAiddwpZBv7n K+6OBII6tli1GS136uq2SEXnTrZkfdC/HktXpkvkukcX0hcRd8WH1sN9hxTh5RaO UZ1hAyntV4cyyNtiHBfy7wTX75CkwJsor1NZKNUx0N+0JlwWod8= =BMKy -----END PGP SIGNATURE----- --Apple-Mail=_10DC5A89-BDD9-4578-B2E7-CA670E54AF27--