Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp5284783imm;
        Tue, 16 Oct 2018 08:01:12 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60OP+9ezn/BsyMaYmu23Neyj2FD5cWzhYdclCwnKUSkHc+iMAA0vVZJYfE87Jc9iIDHcM+j
X-Received: by 2002:a63:9507:: with SMTP id p7-v6mr20625200pgd.449.1539702072370;
        Tue, 16 Oct 2018 08:01:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539702072; cv=none;
        d=google.com; s=arc-20160816;
        b=MyK8RiEAJUqlShzKtnenwQwNkJFKmzAyvYub/gx9ALbQ0F2gtROFUZ5GFqBRCKkx1O
         BANvIzpjIPBiH5PjoFYULDCdcq1i9+MpoJG9Rh1zdLv25Sfxi/GrYecjhGc0JmEkvGlk
         PnWtBzSLBS18O/kzGuKweiBXbfbUf7y8UWqKryNjqCcYb/xDZeUmOIaf5pPRwI2c35vm
         74K8HMuNgBNS0tr1MBAjpymtWaX12g6+CU8FoU7oOY+P30uoSGH+u/SEibwiUygMUpRC
         E8aSftXLFFvLGp+ki0aofkIFgsdbn9KyioT5SOM1SQT/lQEBa/Gdgtsq9fQQLN7gUI+d
         ueeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:content-disposition
         :mime-version:message-id:subject:cc:to:from:date;
        bh=IlaPHfQQscP9TGyabTz74W/cQiQy6SZPSkUmq3lyyuE=;
        b=nGXl3EMhtjm6la2FiVjOv2M5rZVRjbX+6dbQIEyzA9IVLsQF8IciEV87JPLYJ1igdP
         p5rDkygMsWSKMoCedChJEoXAca3pOc7R5SKZI0ws0pUyAQG8snujStnlGJun5Yr7ro1r
         V7QxEaTmYM1zE5LdQeEtjsd+DtpLb31xCn2MF+lHFcqJGwf+x099GXAw8Bn8OrdF2gEz
         XvcNoXDpBRnn8yFK/OtgAvW7k1vi7wmrvsQgpbJdiMnCWUOd7FzISmFhYJ3nOvO41Sz3
         rgpCijdwThas+SKRSRN4kfjWfhPzpg1Dejt5NWsTYh1GoJXXC5QVDZw3vIZSvqYzpYgI
         QIiw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v14-v6si13575733plo.208.2018.10.16.08.00.55;
        Tue, 16 Oct 2018 08:01:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727398AbeJPWt4 (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Tue, 16 Oct 2018 18:49:56 -0400
Received: from gateway21.websitewelcome.com ([192.185.45.91]:33991 "EHLO
        gateway21.websitewelcome.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1727026AbeJPWt4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 16 Oct 2018 18:49:56 -0400
Received: from cm11.websitewelcome.com (cm11.websitewelcome.com [100.42.49.5])
        by gateway21.websitewelcome.com (Postfix) with ESMTP id 2635C400E90AF
        for <linux-kernel@vger.kernel.org>; Tue, 16 Oct 2018 09:59:06 -0500 (CDT)
Received: from gator4166.hostgator.com ([108.167.133.22])
        by cmsmtp with SMTP
        id CQoMglPqaRPojCQoMg2Lk0; Tue, 16 Oct 2018 09:59:06 -0500
X-Authority-Reason: nr=8
Received: from lfbn-1-466-13.w86-245.abo.wanadoo.fr ([86.245.173.13]:42456 helo=embeddedor)
        by gator4166.hostgator.com with esmtpa (Exim 4.91)
        (envelope-from <gustavo@embeddedor.com>)
        id 1gCQoL-003jwz-Bt; Tue, 16 Oct 2018 09:59:05 -0500
Date:   Tue, 16 Oct 2018 16:59:01 +0200
From:   "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To:     Doug Ledford <dledford@redhat.com>, Jason Gunthorpe <jgg@ziepe.ca>
Cc:     linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Subject: [PATCH] RDMA/ucma: Fix Spectre v1 vulnerability
Message-ID: <20181016145901.GA8811@embeddedor.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4166.hostgator.com
X-AntiAbuse: Original Domain - vger.kernel.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - embeddedor.com
X-BWhitelist: no
X-Source-IP: 86.245.173.13
X-Source-L: No
X-Exim-ID: 1gCQoL-003jwz-Bt
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: lfbn-1-466-13.w86-245.abo.wanadoo.fr (embeddedor) [86.245.173.13]:42456
X-Source-Auth: gustavo@embeddedor.com
X-Email-Count: 8
X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20=
X-Local-Domain: yes
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

hdr.cmd can be indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/infiniband/core/ucma.c:1686 ucma_write() warn: potential
spectre issue 'ucma_cmd_table' [r] (local cap)

Fix this by sanitizing hdr.cmd before using it to index
ucm_cmd_table.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
 drivers/infiniband/core/ucma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 21863dd..01d68ed 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -44,6 +44,8 @@
 #include <linux/module.h>
 #include <linux/nsproxy.h>
 
+#include <linux/nospec.h>
+
 #include <rdma/rdma_user_cm.h>
 #include <rdma/ib_marshall.h>
 #include <rdma/rdma_cm.h>
@@ -1676,6 +1678,7 @@ static ssize_t ucma_write(struct file *filp, const char __user *buf,
 
 	if (hdr.cmd >= ARRAY_SIZE(ucma_cmd_table))
 		return -EINVAL;
+	hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucma_cmd_table));
 
 	if (hdr.in + sizeof(hdr) > len)
 		return -EINVAL;
-- 
2.7.4