Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp46667imu; Thu, 8 Nov 2018 14:30:55 -0800 (PST) X-Google-Smtp-Source: AJdET5c8+azHMajUTj5TrEsxcDFE2bCDH6+YTPMzJb36+NnbOdZLB59yMVbfTn+yCBuBPyGi6iN5 X-Received: by 2002:a17:902:6b4b:: with SMTP id g11-v6mr6368878plt.213.1541716255779; Thu, 08 Nov 2018 14:30:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541716255; cv=none; d=google.com; s=arc-20160816; b=Oaa5udzfj9M+YhpG0xQSJApSd+HschNlq7LxqkJBRKSZJzb3sFxj633f2zFpDU7vA7 6nYOyHHMWj4RP7u/ACJnU2lfefepc8ZkK4+jLl8me67+Ku8fakA3R9yvGgE4/LBPX/Hb Zx/E5pabW8XoO1e3V58EBWdTEE6XAOWijwwEUdHboP21Lf38/X9zRx7GyN5UfBrmpYDa eDHkxm0IHyO7mPzssV9owJRjSVeJ5Bu7C/NVouKusw0jOWpyEWY9rXqqgHnrGQxMxhtF DZLNr/r9bWWtGC1oA/Lhi8++EjCB9u8n3FeJxgOov7FUz9QjcUtPEenE2o11+juGE/gC TbOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0TsNRVwSxmdo7DtsHCtOkV9unzBMSOy+Pj2f9bT5OHI=; b=yvTporkeY4IGXHkPNRxc5Wv+Vu/brrqbXIfz4E9Sd35Y2/1Aa3SxgV2WeOkSSoVCY7 T+RdD3cJMLETOrjvtX8iV1lLjNtnKkYbqEpfQNLtmHXe6Bg3H8dEDVdLkLNWHtQ+/8TU 3W8KePZYt45Uo3951EicKM3nCn7SoRgsYMT0oK/UrJHvggvJo/iJELnLLaBN06aki51d Y66T+DU0T1sZp/5GVNaEQdrLDwuTY5SHe9rogaGF62hAHpJZeJtzXqIOdnIeFRO4Fa7B zs/v7zknLIMcLgAgKyGQ97vejUYdEkMj+JG8RfunyBTQa+CymkmZ2JfM4emGyELzbuZ0 g4TQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="n3rdN/+0"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t25-v6si5838108pfj.53.2018.11.08.14.30.40; Thu, 08 Nov 2018 14:30:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="n3rdN/+0"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730820AbeKIHii (ORCPT + 99 others); Fri, 9 Nov 2018 02:38:38 -0500 Received: from mail.kernel.org ([198.145.29.99]:58010 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730799AbeKIHih (ORCPT ); Fri, 9 Nov 2018 02:38:37 -0500 Received: from localhost (unknown [208.72.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 923562146E; Thu, 8 Nov 2018 22:01:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541714468; bh=jkB59swUCrDCDkeglrJdCguzb444iD+LCObfdxPEYdw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n3rdN/+0y10TadVllDZRWlkDLOSCxfdcSQUsE3lOuWdfmJ/qTDmNxShF136GpRCB7 IJBYPyG6gNAZIptYOlHwGRE56mPFI/X98gbdCdotSuhmEvLHNt0PmhOXEhdvHKvEHf FDcK2utJo3HY6uEM/kLr9OZyR13lA2DdmKQmkj7g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Gustavo A. R. Silva" , Richard Cochran , "David S. Miller" Subject: [PATCH 4.4 105/114] ptp: fix Spectre v1 vulnerability Date: Thu, 8 Nov 2018 13:52:00 -0800 Message-Id: <20181108215110.278036964@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181108215059.051093652@linuxfoundation.org> References: <20181108215059.051093652@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Gustavo A. R. Silva commit efa61c8cf2950ab5c0e66cff3cabe2a2b24e81ba upstream. pin_index can be indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/ptp/ptp_chardev.c:253 ptp_ioctl() warn: potential spectre issue 'ops->pin_config' [r] (local cap) Fix this by sanitizing pin_index before using it to index ops->pin_config, and before passing it as an argument to function ptp_set_pinfunc(), in which it is used to index info->pin_config. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Acked-by: Richard Cochran Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/ptp/ptp_chardev.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/ptp/ptp_chardev.c +++ b/drivers/ptp/ptp_chardev.c @@ -23,6 +23,8 @@ #include #include +#include + #include "ptp_private.h" static int ptp_disable_pinfunc(struct ptp_clock_info *ops, @@ -224,6 +226,7 @@ long ptp_ioctl(struct posix_clock *pc, u err = -EINVAL; break; } + pin_index = array_index_nospec(pin_index, ops->n_pins); if (mutex_lock_interruptible(&ptp->pincfg_mux)) return -ERESTARTSYS; pd = ops->pin_config[pin_index]; @@ -242,6 +245,7 @@ long ptp_ioctl(struct posix_clock *pc, u err = -EINVAL; break; } + pin_index = array_index_nospec(pin_index, ops->n_pins); if (mutex_lock_interruptible(&ptp->pincfg_mux)) return -ERESTARTSYS; err = ptp_set_pinfunc(ptp, pin_index, pd.func, pd.chan);