Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp5255087imm; Tue, 16 Oct 2018 07:33:44 -0700 (PDT) X-Google-Smtp-Source: ACcGV60ticHJH2Ugu64L3c9HZ0paopIgNDg9JN0du/Aj+Fok5iq5/jt+zUU9Sa1+4siM8p1ZzOUv X-Received: by 2002:a63:e54d:: with SMTP id z13-v6mr438533pgj.169.1539700423959; Tue, 16 Oct 2018 07:33:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539700423; cv=none; d=google.com; s=arc-20160816; b=pEaV4hNiZxkOiiDCaTkukPvJgx+BzRSS7gHIcP9QEi0U+2NfFJsYnvF6g+JpuEkKng oJ1PI/KXwieKDKxcF3b0nt7NwUeWtKa8B97mYcKuaHkyKHzcqggrcLsox7nbkXK60Qy6 22tl1Tp9lmCmNE13rpZGS6RKK2jJQUHDjucwpDExP3QTDTxvgmZCOuEGQzwWShljwJiH c5llJ/7Ei0TK85+m4HmdcEjMooN0OWhvjUndCw3BxZjj/RHz/qVo58cQJY/zt7UEyv12 t3cXSkVKd6iFOcQn+Pf0a7JOJK4YWVRyXztpoWBb3KMoW81iw2+1s4PiXzjKvvj2TrWq gmAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date; bh=U02qGluwXLBin6jv/uPRnbrrVMyLzR+fKHfvJCUVnYQ=; b=jYj1fFWUHTb3JJpUoBtd2O/W2JAF8CPB5E9yTlRlItO2MFd66LKPthRMAzL7R9IErO bYzbHAF8iV5cfBHeW851wkUU70x622/trhUQIx2k0gBes2hl0HfA90g/C9ALv0GRG24l BiwJfYJPNlxBkXVve9nF/7oAYQDRX86wf82qgfKok6Wdf3WTnFvdHfFa6FM2UdLyXY1v nSVzarP1MMqm/DMxvec8KGz879Q89+SQwtdyx4nq8KopcXH13FUE0jl50JOR9UYknTL9 PZLUnPLIDukDsnueNO1qoggqm6dvkjobhVUoq/9cepyStZPuwTDaT/J8ra7hlU1sw20a EdzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t10-v6si14490251pfc.129.2018.10.16.07.33.27; Tue, 16 Oct 2018 07:33:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727154AbeJPWX2 (ORCPT + 99 others); Tue, 16 Oct 2018 18:23:28 -0400 Received: from gateway34.websitewelcome.com ([192.185.148.200]:14640 "EHLO gateway34.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726760AbeJPWX2 (ORCPT ); Tue, 16 Oct 2018 18:23:28 -0400 Received: from cm14.websitewelcome.com (cm14.websitewelcome.com [100.42.49.7]) by gateway34.websitewelcome.com (Postfix) with ESMTP id 285CA778C4 for ; Tue, 16 Oct 2018 09:32:44 -0500 (CDT) Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP id CQOqgdM2NkBj6CQOqghwwC; Tue, 16 Oct 2018 09:32:44 -0500 X-Authority-Reason: nr=8 Received: from lns-bzn-40-82-251-138-249.adsl.proxad.net ([82.251.138.249]:47442 helo=embeddedor) by gator4166.hostgator.com with esmtpa (Exim 4.91) (envelope-from ) id 1gCQOp-003QwQ-HC; Tue, 16 Oct 2018 09:32:43 -0500 Date: Tue, 16 Oct 2018 16:32:40 +0200 From: "Gustavo A. R. Silva" To: Doug Ledford , Jason Gunthorpe Cc: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH] IB/ucm: Fix Spectre v1 vulnerability Message-ID: <20181016143240.GA6087@embeddedor.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 82.251.138.249 X-Source-L: No X-Exim-ID: 1gCQOp-003QwQ-HC X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: lns-bzn-40-82-251-138-249.adsl.proxad.net (embeddedor) [82.251.138.249]:47442 X-Source-Auth: gustavo@embeddedor.com X-Email-Count: 4 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org hdr.cmd can be indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/infiniband/core/ucm.c:1127 ib_ucm_write() warn: potential spectre issue 'ucm_cmd_table' [r] (local cap) Fix this by sanitizing hdr.cmd before using it to index ucm_cmd_table. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva --- drivers/infiniband/core/ucm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c index faa9e61..73332b9 100644 --- a/drivers/infiniband/core/ucm.c +++ b/drivers/infiniband/core/ucm.c @@ -46,6 +46,8 @@ #include #include +#include + #include #include @@ -1120,6 +1122,7 @@ static ssize_t ib_ucm_write(struct file *filp, const char __user *buf, if (hdr.cmd >= ARRAY_SIZE(ucm_cmd_table)) return -EINVAL; + hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucm_cmd_table)); if (hdr.in + sizeof(hdr) > len) return -EINVAL; -- 2.7.4