Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2506703imm; Mon, 24 Sep 2018 05:37:38 -0700 (PDT) X-Google-Smtp-Source: ACcGV63+USRxXrAFZ4Mag18KaulVrSRpM0/xhrGWBiin95fCmTgjz0ccxLuJlbR4SihHHMcHBCrx X-Received: by 2002:a17:902:b68a:: with SMTP id c10-v6mr6090616pls.167.1537792658394; Mon, 24 Sep 2018 05:37:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537792658; cv=none; d=google.com; s=arc-20160816; b=GLgiP+nVZIpFVHdM6PiTLiDlVCNqdvp0iA8ldIXoRQSDEl6VECCo3V5tcrvrgLyYJg leqNKleaGJX6XMdpVsCFiPwjd90zvHqaKxLCe5XwiBi0NFEZxgP7tJ4Auf3juys4YeVw cA/3M75A7b8wYYOchYYyNmuhZ/pFcLn7E1i/e0Nfk1mrLHqAp0BtiNJMjdlwsalxybfu 5T2A3M/F1w1STCX4Cu7fscoM0sS3VzRNoZ+FjGzZfjWbWlL9tqF44JIhP3Umw4DL0UbR pNGYsWyN6XWK+zWT4sl62kv0JWuIVeEymRY/bqZmu9XdtHgaEXezVThB9Ey+uyMo48wg TAyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=6xNwxL34vRZUP7dFXtPnToZk4NpV8xdVvvnKPfU14QA=; b=J62jOOS0eykolR/SJ4EsRBb5n3KvAhHMsdKoGghj+iCrXlz1GRuKngN9ow/Z1LHTMm jl6+XzqYUw7CkN8W1CHo9oGmge3R+Of0NGheTwppvRoxZHBXefK3MNozIqeySod5Mr/K xB0O93G/0l3qWGaIGJo+nGnxGJTiezMmga5wyDnLQD1HnFeoyio6rU8edu60qd2W4y0d lx1dUnmZUcqRC/eKvPRMPc/NXNED7qt6bAt3VVBx/PUhHBVVIOAwRnXPgLXArx0+Vwvs H6tEfQCsDDs7p79xKwFdDsxz3FuLNvm50yz5MYJkw5Ifaq0XnXaDjsReupAeYYzUjEah A0bw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 186-v6si3490412pfv.101.2018.09.24.05.37.18; Mon, 24 Sep 2018 05:37:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388348AbeIXSge (ORCPT + 99 others); Mon, 24 Sep 2018 14:36:34 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:58452 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729816AbeIXSge (ORCPT ); Mon, 24 Sep 2018 14:36:34 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 285491018; Mon, 24 Sep 2018 12:34:37 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH 4.18 112/235] misc: hmc6352: fix potential Spectre v1 Date: Mon, 24 Sep 2018 13:51:38 +0200 Message-Id: <20180924113117.054087655@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180924113103.999624566@linuxfoundation.org> References: <20180924113103.999624566@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Gustavo A. R. Silva commit de916736aaaadddbd6061472969f667b14204aa9 upstream. val is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/misc/hmc6352.c:54 compass_store() warn: potential spectre issue 'map' [r] Fix this by sanitizing val before using it to index map Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Signed-off-by: Greg Kroah-Hartman --- drivers/misc/hmc6352.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/misc/hmc6352.c +++ b/drivers/misc/hmc6352.c @@ -27,6 +27,7 @@ #include #include #include +#include static DEFINE_MUTEX(compass_mutex); @@ -50,6 +51,7 @@ static int compass_store(struct device * return ret; if (val >= strlen(map)) return -EINVAL; + val = array_index_nospec(val, strlen(map)); mutex_lock(&compass_mutex); ret = compass_command(c, map[val]); mutex_unlock(&compass_mutex);