Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp5508383imm; Tue, 16 Oct 2018 11:18:18 -0700 (PDT) X-Google-Smtp-Source: ACcGV601L85uZHDMR+iun3EnvI42nlvKxB8sz17mgPelY++PIQumGbTn1oEh29M0z4WWFInCZ58z X-Received: by 2002:a63:5b14:: with SMTP id p20-v6mr21060408pgb.56.1539713898374; Tue, 16 Oct 2018 11:18:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539713898; cv=none; d=google.com; s=arc-20160816; b=HTLj9Zm5o+mzzeDyN7QtAGBJDeQFvGGQCzkPHeGTb847iXLE2XjvEikV7vv3MWsxTG Mojc47KjLLDE95v0ZMSYat9dG7OgbpLzRXJreq8CLwg+pBirHAGD/861iXQQzDMfOc0q lJdYMMsg30FtnvU1yehkvgRt5xSRMvIk3ij1WXjKLOoXwONe66b7MlDaNcbK9c8XHQ/Q AJk8oLHgVUVKxyyCPBsb1RHRUOdvAidhBalRbvrhLtncTPCjwGZ3qa5h7TQCKvh2M/+a FNamTBmYeQWo3zgF4iM/jIACc8DLgcOP+QebKT+hXgtXXrkSuFiePaHhRnlF2v60OMh/ FVGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:openpgp:from:references:cc:to:subject; bh=V8giQyXDchSp/3dISUU+C2eiKn0OlID6F16v78uwRpU=; b=Me5+IGIdspXQUlZHHv6w5TPPW39fTO0M6zkWsKpo9PNfQjM737yRlHr0NycW9l/ltx UeNfJE3PWqpDXyakyHBZsWGK2hiw6K9LAu2Q/ghbvkzIlJhBtrBNjzfx17Hp9GpS1Ouf dIGQqiY+vyt0fCDxpoThvGmmFPoryvTVc5ukwJdYFhq0MlVU3u6ZNrZZRffu/YBOj4dH D8u2RXEN5YChU/94YBYrZX14nOdQBUPPLxkGo0iP4um4rBaNjlqyR3DRb6jtMmp8g2Ag Ax88Jlz0yCjwU1eMU23dSTjHLNyyTHVJUt+7XvYI7zPwxSYDhROfse07sGXuD/3s5FEd D15w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l7-v6si14491644pgm.102.2018.10.16.11.18.02; Tue, 16 Oct 2018 11:18:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727349AbeJQCI3 (ORCPT + 99 others); Tue, 16 Oct 2018 22:08:29 -0400 Received: from gateway36.websitewelcome.com ([192.185.197.22]:41963 "EHLO gateway36.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727032AbeJQCI3 (ORCPT ); Tue, 16 Oct 2018 22:08:29 -0400 X-Greylist: delayed 1421 seconds by postgrey-1.27 at vger.kernel.org; Tue, 16 Oct 2018 22:08:28 EDT Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19]) by gateway36.websitewelcome.com (Postfix) with ESMTP id E5CAC4012BCA8 for ; Tue, 16 Oct 2018 12:00:13 -0500 (CDT) Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP id CTWfg6jYTaSeyCTWlgRWwq; Tue, 16 Oct 2018 12:53:12 -0500 X-Authority-Reason: nr=8 Received: from lfbn-1-466-13.w86-245.abo.wanadoo.fr ([86.245.173.13]:43384 helo=[192.168.1.41]) by gator4166.hostgator.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from ) id 1gCTWe-00167p-Ie; Tue, 16 Oct 2018 12:53:00 -0500 Subject: Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability To: Dmitry Torokhov Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org References: <20181016111313.GA28307@embeddedor.com> <20181016172107.GA230131@dtor-ws> From: "Gustavo A. R. Silva" Openpgp: preference=signencrypt Autocrypt: addr=gustavo@embeddedor.com; keydata= xsFNBFssHAwBEADIy3ZoPq3z5UpsUknd2v+IQud4TMJnJLTeXgTf4biSDSrXn73JQgsISBwG 2Pm4wnOyEgYUyJd5tRWcIbsURAgei918mck3tugT7AQiTUN3/5aAzqe/4ApDUC+uWNkpNnSV tjOx1hBpla0ifywy4bvFobwSh5/I3qohxDx+c1obd8Bp/B/iaOtnq0inli/8rlvKO9hp6Z4e DXL3PlD0QsLSc27AkwzLEc/D3ZaqBq7ItvT9Pyg0z3Q+2dtLF00f9+663HVC2EUgP25J3xDd 496SIeYDTkEgbJ7WYR0HYm9uirSET3lDqOVh1xPqoy+U9zTtuA9NQHVGk+hPcoazSqEtLGBk YE2mm2wzX5q2uoyptseSNceJ+HE9L+z1KlWW63HhddgtRGhbP8pj42bKaUSrrfDUsicfeJf6 m1iJRu0SXYVlMruGUB1PvZQ3O7TsVfAGCv85pFipdgk8KQnlRFkYhUjLft0u7CL1rDGZWDDr NaNj54q2CX9zuSxBn9XDXvGKyzKEZ4NY1Jfw+TAMPCp4buawuOsjONi2X0DfivFY+ZsjAIcx qQMglPtKk/wBs7q2lvJ+pHpgvLhLZyGqzAvKM1sVtRJ5j+ARKA0w4pYs5a5ufqcfT7dN6TBk LXZeD9xlVic93Ju08JSUx2ozlcfxq+BVNyA+dtv7elXUZ2DrYwARAQABzSxHdXN0YXZvIEEu IFIuIFNpbHZhIDxndXN0YXZvQGVtYmVkZGVkb3IuY29tPsLBfQQTAQgAJwUCWywcDAIbIwUJ CWYBgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBHBbTLRwbbMZ6tEACk0hmmZ2FWL1Xi l/bPqDGFhzzexrdkXSfTTZjBV3a+4hIOe+jl6Rci/CvRicNW4H9yJHKBrqwwWm9fvKqOBAg9 obq753jydVmLwlXO7xjcfyfcMWyx9QdYLERTeQfDAfRqxir3xMeOiZwgQ6dzX3JjOXs6jHBP cgry90aWbaMpQRRhaAKeAS14EEe9TSIly5JepaHoVdASuxklvOC0VB0OwNblVSR2S5i5hSsh ewbOJtwSlonsYEj4EW1noQNSxnN/vKuvUNegMe+LTtnbbocFQ7dGMsT3kbYNIyIsp42B5eCu JXnyKLih7rSGBtPgJ540CjoPBkw2mCfhj2p5fElRJn1tcX2McsjzLFY5jK9RYFDavez5w3lx JFgFkla6sQHcrxH62gTkb9sUtNfXKucAfjjCMJ0iuQIHRbMYCa9v2YEymc0k0RvYr43GkA3N PJYd/vf9vU7VtZXaY4a/dz1d9dwIpyQARFQpSyvt++R74S78eY/+lX8wEznQdmRQ27kq7BJS R20KI/8knhUNUJR3epJu2YFT/JwHbRYC4BoIqWl+uNvDf+lUlI/D1wP+lCBSGr2LTkQRoU8U 64iK28BmjJh2K3WHmInC1hbUucWT7Swz/+6+FCuHzap/cjuzRN04Z3Fdj084oeUNpP6+b9yW e5YnLxF8ctRAp7K4yVlvA87BTQRbLBwMARAAsHCE31Ffrm6uig1BQplxMV8WnRBiZqbbsVJB H1AAh8tq2ULl7udfQo1bsPLGGQboJSVN9rckQQNahvHAIK8ZGfU4Qj8+CER+fYPp/MDZj+t0 DbnWSOrG7z9HIZo6PR9z4JZza3Hn/35jFggaqBtuydHwwBANZ7A6DVY+W0COEU4of7CAahQo 5NwYiwS0lGisLTqks5R0Vh+QpvDVfuaF6I8LUgQR/cSgLkR//V1uCEQYzhsoiJ3zc1HSRyOP otJTApqGBq80X0aCVj1LOiOF4rrdvQnj6iIlXQssdb+WhSYHeuJj1wD0ZlC7ds5zovXh+FfF l5qH5RFY/qVn3mNIVxeO987WSF0jh+T5ZlvUNdhedGndRmwFTxq2Li6GNMaolgnpO/CPcFpD jKxY/HBUSmaE9rNdAa1fCd4RsKLlhXda+IWpJZMHlmIKY8dlUybP+2qDzP2lY7kdFgPZRU+e zS/pzC/YTzAvCWM3tDgwoSl17vnZCr8wn2/1rKkcLvTDgiJLPCevqpTb6KFtZosQ02EGMuHQ I6Zk91jbx96nrdsSdBLGH3hbvLvjZm3C+fNlVb9uvWbdznObqcJxSH3SGOZ7kCHuVmXUcqoz ol6ioMHMb+InrHPP16aVDTBTPEGwgxXI38f7SUEn+NpbizWdLNz2hc907DvoPm6HEGCanpcA EQEAAcLBZQQYAQgADwUCWywcDAIbDAUJCWYBgAAKCRBHBbTLRwbbMdsZEACUjmsJx2CAY+QS UMebQRFjKavwXB/xE7fTt2ahuhHT8qQ/lWuRQedg4baInw9nhoPE+VenOzhGeGlsJ0Ys52sd XvUjUocKgUQq6ekOHbcw919nO5L9J2ejMf/VC/quN3r3xijgRtmuuwZjmmi8ct24TpGeoBK4 WrZGh/1hAYw4ieARvKvgjXRstcEqM5thUNkOOIheud/VpY+48QcccPKbngy//zNJWKbRbeVn imua0OpqRXhCrEVm/xomeOvl1WK1BVO7z8DjSdEBGzbV76sPDJb/fw+y+VWrkEiddD/9CSfg fBNOb1p1jVnT2mFgGneIWbU0zdDGhleI9UoQTr0e0b/7TU+Jo6TqwosP9nbk5hXw6uR5k5PF 8ieyHVq3qatJ9K1jPkBr8YWtI5uNwJJjTKIA1jHlj8McROroxMdI6qZ/wZ1ImuylpJuJwCDC ORYf5kW61fcrHEDlIvGc371OOvw6ejF8ksX5+L2zwh43l/pKkSVGFpxtMV6d6J3eqwTafL86 YJWH93PN+ZUh6i6Rd2U/i8jH5WvzR57UeWxE4P8bQc0hNGrUsHQH6bpHV2lbuhDdqo+cM9eh GZEO3+gCDFmKrjspZjkJbB5Gadzvts5fcWGOXEvuT8uQSvl+vEL0g6vczsyPBtqoBLa9SNrS VtSixD1uOgytAP7RWS474w== Message-ID: Date: Tue, 16 Oct 2018 19:52:58 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <20181016172107.GA230131@dtor-ws> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 86.245.173.13 X-Source-L: No X-Exim-ID: 1gCTWe-00167p-Ie X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: lfbn-1-466-13.w86-245.abo.wanadoo.fr ([192.168.1.41]) [86.245.173.13]:43384 X-Source-Auth: gustavo@embeddedor.com X-Email-Count: 26 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Dmitry, On 10/16/18 7:21 PM, Dmitry Torokhov wrote: > Hi Gustavo, > > On Tue, Oct 16, 2018 at 01:13:13PM +0200, Gustavo A. R. Silva wrote: >> setup.code can be indirectly controlled by user-space, hence leading to >> a potential exploitation of the Spectre variant 1 vulnerability. >> >> This issue was detected with the help of Smatch: >> >> drivers/input/misc/uinput.c:512 uinput_abs_setup() warn: potential >> spectre issue 'dev->absinfo' [w] (local cap) >> >> Fix this by sanitizing setup.code before using it to index dev->absinfo. > > So we are saying that attacker, by repeatedly calling ioctl(..., > UI_ABS_SETUP, ...) will be able to poison branch predictor and discover > another program or kernel secrets? But uinput is a privileged interface > open to root only, as it allows injecting arbitrary keystrokes into the > kernel. And since only root can use uinput, meh? > Oh I see... in that case this is a false positive. Although, I wonder if all these operations are only accessible to root: static const struct file_operations uinput_fops = { .owner = THIS_MODULE, .open = uinput_open, .release = uinput_release, .read = uinput_read, .write = uinput_write, .poll = uinput_poll, .unlocked_ioctl = uinput_ioctl, #ifdef CONFIG_COMPAT .compat_ioctl = uinput_compat_ioctl, #endif .llseek = no_llseek, }; Thanks for the feedback. -- Gustavo