Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2485454imm; Mon, 24 Sep 2018 05:18:15 -0700 (PDT) X-Google-Smtp-Source: ACcGV63ZDs4Llfcv8h3hdESuXHNLxsE75DI+Ru/QtfmHuYpPH8V/0wtzHuxbSjRz/r4VEg57kR7L X-Received: by 2002:a63:dd49:: with SMTP id g9-v6mr9115086pgj.356.1537791495048; Mon, 24 Sep 2018 05:18:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537791495; cv=none; d=google.com; s=arc-20160816; b=YUWNsMJAd/uocgM5AC9ocbPHzVCE4oR4zByl9uzKq47iXkwmfx0ZwSzy2sErK9mjuH L4okPEptVyZ97D38H37Qst60q/65LFtbuuH79NE7Pp2JROkq7x8p7NDLXmEwdJsXFfJH zjQnnG19+zGD+SV+x/8O27x7XDL+OGOyVGpnmPqVFZ1NgiDVV0QmWO7Qv1o8Aab0/g9P C6fPZkEwxgO1cmK8D7XAvlGzZGMZmSa4bUxYOK216KqtjVt7QPSrlHM+qMvMcXoConL8 KEOheLot0FFwDoYnUWZRdE/hb3lxsMFS5IbNxhiE8sBP18LiajfkQLTALBWfPUSnZpgW tWXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=MlPVbS++ZqnwjRNFgPxsUlOXJ4xMosb5gmUNhIBLXik=; b=Zj2vnePVxjVaCjVShrJpt0Q64cZVwab0PXym1HnbR6ibR+NuCIn5jNf1c7+GYHjtoO pr5fTEXXlGK1Y2J8Ia3uVtRlIqZGmAScFjbDQHwsHkv2oTIBaxvwXiPWQ7C+0oleuz+I AEmo/yUMAjiDdNc4/H7rAJO3+a9Q1VJ265fWd+wtDiaivxcKs4FRj6Qoj+Y+5iV4APbM zNy7WptKzsYC7SVPP1S2E37bbWi/epCjzebpxi/5YTLrxlmyVDdjlJsYsmdocfwlXSsu 4fEals6N6cPl7Hsr1fFLlvJVDDtIOqfzR7xoYdVtXUzmX2RJQqUtHf9psOgnHHfN2bWz 3q2w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l6-v6si14395326pgl.602.2018.09.24.05.17.58; Mon, 24 Sep 2018 05:18:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732328AbeIXSSy (ORCPT + 99 others); Mon, 24 Sep 2018 14:18:54 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55858 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729919AbeIXSSx (ORCPT ); Mon, 24 Sep 2018 14:18:53 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4D66610A7; Mon, 24 Sep 2018 12:17:02 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH 4.14 083/173] misc: hmc6352: fix potential Spectre v1 Date: Mon, 24 Sep 2018 13:51:57 +0200 Message-Id: <20180924113122.169647464@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180924113114.334025954@linuxfoundation.org> References: <20180924113114.334025954@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Gustavo A. R. Silva commit de916736aaaadddbd6061472969f667b14204aa9 upstream. val is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/misc/hmc6352.c:54 compass_store() warn: potential spectre issue 'map' [r] Fix this by sanitizing val before using it to index map Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Signed-off-by: Greg Kroah-Hartman --- drivers/misc/hmc6352.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/misc/hmc6352.c +++ b/drivers/misc/hmc6352.c @@ -27,6 +27,7 @@ #include #include #include +#include static DEFINE_MUTEX(compass_mutex); @@ -50,6 +51,7 @@ static int compass_store(struct device * return ret; if (val >= strlen(map)) return -EINVAL; + val = array_index_nospec(val, strlen(map)); mutex_lock(&compass_mutex); ret = compass_command(c, map[val]); mutex_unlock(&compass_mutex);