Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5220890imm; Tue, 31 Jul 2018 07:27:34 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfmDmJtvWD1VR1yLe2SuKhneZeGCxMyrEGGg3/bmpawYsyOAJs1zZ7clXbOHlUn2jPP7xM6 X-Received: by 2002:a62:e18:: with SMTP id w24-v6mr22565591pfi.145.1533047254357; Tue, 31 Jul 2018 07:27:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533047254; cv=none; d=google.com; s=arc-20160816; b=WoMQkmvhdfy0nPTBnNN5dotuDFS08mlJj4EJNEZdtXX0TJ+CLsx6LVLsK/tmvUdnh9 Ea7zSiphgc4/VwF9rJFoqRxZZaBIn/UrLu+hu079DwYyRRqHdxJ8BGb9lo6+t0/edhFA PkaSqD6Awc5Oa5Vx81R99RcRvHOsP12i9IGRodrkJ34ld4dwlwmmLNTNmQMHhnkoqv2f YH0QlQ4tcReDpO1BclhzprH773JW+YMnTWkvAxScPDqXq0E3oZSXDEAIfWRbUP+YBJE6 h6I0MMFrZLgDQuV2zEtJzdunH/rfrBNsfGD2GBNyck7nqG7prtiPdBhPzC0h4t0qxcFO STbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=44oHVkGiFDpGlQCTw8wYQWe0+KH9sd6sUuKKJogMrPw=; b=FsT6VWcJifKH0x/q1dXW2el5EvzEx1kE+jRkk3o6z0pjxvwcPleHI7dtoXHw+pXIvj YNaq/2vaj2cIbyUh+6xJrDrbP9r5BuefT/Ofn6fN2Yuv2H3pwz90pDdSM7E+vNTkWukb cXJHpAFVzRkxgtGefmZAwuXO+S+8uLKC++vxObEGj0cN7QsMiDpztZlo80ELJEeI33Ly 67zRIUTsuBZ+IQU63hyySfiSQUiCrcJEe7rdp7lpOVrxmoG/zRbd9yQ7J8EJObcJhGdF mnLXi6wJGzrpDYBn8SwT+aP1BS2Ypk0GM+EJywc8cHFE4IWNnOra1q1xI9MXRVCegZvS I3Og== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kjU6CVsG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 69-v6si5710518pla.505.2018.07.31.07.27.19; Tue, 31 Jul 2018 07:27:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kjU6CVsG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732363AbeGaQGi (ORCPT + 99 others); Tue, 31 Jul 2018 12:06:38 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:37386 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732255AbeGaQGh (ORCPT ); Tue, 31 Jul 2018 12:06:37 -0400 Received: by mail-pg1-f193.google.com with SMTP id n7-v6so9178805pgq.4 for ; Tue, 31 Jul 2018 07:26:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=44oHVkGiFDpGlQCTw8wYQWe0+KH9sd6sUuKKJogMrPw=; b=kjU6CVsGMouh5GJvbKDsWUF4WyabwcVGNO7yyxmvP0L2eFByLN5N91wlt9TCg19eeO s5Zz6Xb69WwiSUnKYE45jCOpfRErEjYVN2HESeMSLbjoXmc6xqJEX0WTmk1IXYT59obe sHwgtwd5O5+cj4xIQwElxEXZbve2jpEFiJSZ60fkh2VNr2c4ERPjSWE5/xqn7HV3l/4k 1TQEAMKE9RVVN8gUCz7r3/XF9XbHzZn4Au+lrc1NeIrYAsRBdBeVlH3enrsBexoNEWlI y4PJC8pzEdXdyXq8Q4iUKLlu5redoMnJRc0opBcoco2JxsNatgeULqFED/uKM32bPiDz p6mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=44oHVkGiFDpGlQCTw8wYQWe0+KH9sd6sUuKKJogMrPw=; b=N2a4RiMEqPpTGduLYJnvHMq1EWgNNsrmO6tsG7wFndhEhP+N8PClhB7Uevw+4gOvqf nsWXSLTeVyHcjUJF2o5UYYvZnOoEyA7UbMfcIJM+84slmPrLHYbtXqM1ZQ4WptiXi9op osqgf7DLMmTBp2HdiYnerjcTM+8iMVuFwM1HUiyh16cHQ/YpLrUw3mLh2RwrOiI27GZg fVa0lNURP7/iMcBWt6ua9xdj4yO4juaO+LTFjjpHp2Aj6pTwi7K1MMc15+Pac3K2Vxpr Ks00dhbr+Qxp0hYl+TVfSDUufjZaF6+jxVpeWPE7gh9FH6aomsDPhnbZDhQNPjuWpyg1 ozJg== X-Gm-Message-State: AOUpUlH1zLPzq0LhDYPY7nxFDc1bfoiadRE+ul6nagEWWiFQ3NbP+4Tf lgL4hiWaH4PsvH6mwJ/JQsg= X-Received: by 2002:a63:7454:: with SMTP id e20-v6mr21187819pgn.410.1533047163870; Tue, 31 Jul 2018 07:26:03 -0700 (PDT) Received: from pjb1027-Latitude-E5410 ([58.227.15.43]) by smtp.gmail.com with ESMTPSA id v6-v6sm28482800pfa.28.2018.07.31.07.26.01 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Tue, 31 Jul 2018 07:26:03 -0700 (PDT) Date: Tue, 31 Jul 2018 23:25:57 +0900 From: Jinbum Park To: peterz@infradead.org, mingo@redhat.com, acme@kernel.org, alexander.shishkin@linux.intel.com, jolsa@redhat.com, namhyung@kernel.org Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: [PATCH] perf/core: Fix possible Spectre-v1 for perf_swevent_enabled Message-ID: <20180731142557.GA12460@pjb1027-Latitude-E5410> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org User controls @event_id which to be used as index of perf_swevent_enabled. So, It can be exploited via Spectre-like attack. (speculative execution) So sanitize @event_id before using it to prevent attack. I leveraged strategy [1] to find this gadget. [1] https://github.com/jinb-park/linux-exploit/ tree/master/exploit-remaining-spectre-gadget/ Signed-off-by: Jinbum Park --- kernel/events/core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c index f6ea33a..3313552 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -50,6 +50,7 @@ #include #include #include +#include #include "internal.h" @@ -8200,6 +8201,7 @@ static int perf_swevent_init(struct perf_event *event) if (err) return err; + event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX); static_key_slow_inc(&perf_swevent_enabled[event_id]); event->destroy = sw_perf_event_destroy; } -- 1.9.1