Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2469576imm; Mon, 24 Sep 2018 05:03:40 -0700 (PDT) X-Google-Smtp-Source: ACcGV61QF9H5fmuo/aWoUVLBmlhc63Fc/t9V9LUmsRjA32Md4DK/jcBLYN901tVud92ZXrw24Yyz X-Received: by 2002:a17:902:9a01:: with SMTP id v1-v6mr10425202plp.20.1537790620127; Mon, 24 Sep 2018 05:03:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537790620; cv=none; d=google.com; s=arc-20160816; b=KvnQcpIoaXAFMrbnXJvpsXFTO9A8Sz4JdH087OhB1xtR12GHBJsRZj0y+TTfINuj1t 64gjyBTh59TLaKDrydXwLLMGZvVijjqmuXBLHyfwLCdfdQTRbYFFQI0aEhVPbd9Giyi7 FLvZJiqiLpPRNPsfXtgfcRYtzgi+u5eTSiKzfEJA2WYbasXNK1g+zMMv64NO0Q+Tpcr9 4/lV++U2hBuK7WAIUwHtNzlu5ADniC3XdLcUQLYpTl22mkmjrpzpmCjn/nbDSMGkney/ LYFikt71Ip7TTszW8RR2yG2q5XvjiCB22ETgOMPEdAcg4/R+2gCQvNLgCunD40tV8Jjh Cl2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=fYGDBngWUwKQQdu/CuR+IPzbtPPKvHjqOTTqVXKq1gU=; b=RTryycjWHlOva26maoYhmV0xDi9a9W0kg8ObpRHDElq4i5xqyKrepb2Cmy+S5mQtOe 7dyiG41AX9kz73LkMtAL7HXwlxWy14m/Xl9ar7ftUSzuUXECFS6udy49jaQD94tNXnbW /EqJj8jw+FHqRFjU7KzIia/RuUWFK5+PtItLn8/Mjx5stdyTzbu3KNyBH6iZ5fh/+0og cH/kuT/7F+mJ74si+45lVM4SEm1GIhhFf04ISz3Y1HrLrOgASP4hDlwT3rLxalxevWCF CtwOMMTI4igqo4ci7Tk2yAJyzrzL2MPvOVUSq334THotm9YBr3rV/SIzQ8/cC4WH8u0J 3pvQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 68-v6si7292389pla.496.2018.09.24.05.03.24; Mon, 24 Sep 2018 05:03:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730907AbeIXSET (ORCPT + 99 others); Mon, 24 Sep 2018 14:04:19 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:53736 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729639AbeIXSET (ORCPT ); Mon, 24 Sep 2018 14:04:19 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 13E48D64; Mon, 24 Sep 2018 12:02:31 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH 4.9 053/111] misc: hmc6352: fix potential Spectre v1 Date: Mon, 24 Sep 2018 13:52:20 +0200 Message-Id: <20180924113110.242029888@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180924113103.337261320@linuxfoundation.org> References: <20180924113103.337261320@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Gustavo A. R. Silva commit de916736aaaadddbd6061472969f667b14204aa9 upstream. val is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/misc/hmc6352.c:54 compass_store() warn: potential spectre issue 'map' [r] Fix this by sanitizing val before using it to index map Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Signed-off-by: Greg Kroah-Hartman --- drivers/misc/hmc6352.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/misc/hmc6352.c +++ b/drivers/misc/hmc6352.c @@ -27,6 +27,7 @@ #include #include #include +#include static DEFINE_MUTEX(compass_mutex); @@ -50,6 +51,7 @@ static int compass_store(struct device * return ret; if (val >= strlen(map)) return -EINVAL; + val = array_index_nospec(val, strlen(map)); mutex_lock(&compass_mutex); ret = compass_command(c, map[val]); mutex_unlock(&compass_mutex);