Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3429580imu; Sun, 11 Nov 2018 14:55:25 -0800 (PST) X-Google-Smtp-Source: AJdET5fer1WG2R9ljLpICOID9YaSNtXdal28QL9gyjgGrTGpOyXwiF8O7KTa6q9VkvYUhWEDeb2N X-Received: by 2002:a17:902:6686:: with SMTP id e6-v6mr17569172plk.173.1541976925839; Sun, 11 Nov 2018 14:55:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541976925; cv=none; d=google.com; s=arc-20160816; b=t8nxMCJsE4bmPfQrtuInzTyrYkj4J2QUf7oUeoduWBRuxN+JHdq9UV40jRb5EemUqn 6bEiKY/8qMtRc5xt92z5F9w7NpTxDYD7LPbd/Kzdd5k1pUPRABATN0JVPdFkqOzthsNV DByvsWF451Z6Gr38ccYc2Z86B2zh1pTZAPlS5RXIeBOdKfmO4xRBdICmNXdtzViedlax XVAbkAR+J2QsfnluT3mD9o9HtPuGD2BH8qPBbVcLSomV62Cduav7+Gevav3IHQ+YBDrS UiwibCtr96BebU/iG/S9sLdWQYZm2jApmwIZEt46PgR0vJh3Xbd1aNf8L7GmhkIS2mL4 LKZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=U0rVX7Cg5TiKCtb6TtfmXRzx/6oE2NSW3W7gVh/iyVw=; b=T+R53kKa1XSc6YLuV81q5XjrU4JYFp5jBbrqgVqi2T++du2xwXBdfjZ4RHYNI+yI3n dxIXQ6GicY0wDl/R6ZmeO8j16JqIi1AYiSGzhsPA/h0qctoY3A8qfniMMmf4y9DNE+Y8 zxd7IGMF3Zll/i+9L+ViZ8tz29WNOhIIhMRicu2Dgg2V3zgvU4jem1gp6ulPltzD29jr wOpkR0nYIxu16lU2OspU61lvAJgW5vV06UENEmgjMpdZb3GULb7oCHRK7EuBbr0SXzWf 62w4tgX3d9saZtrslSr8QoFBOLq4ydiM05aH83bbHcyLzkBidKSAwSt5/HdyfZoMAO5W 5ZfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=H6tYiDYp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w17si8390263pgl.6.2018.11.11.14.55.11; Sun, 11 Nov 2018 14:55:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=H6tYiDYp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390871AbeKLInn (ORCPT + 99 others); Mon, 12 Nov 2018 03:43:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:54620 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404015AbeKLIW7 (ORCPT ); Mon, 12 Nov 2018 03:22:59 -0500 Received: from localhost (unknown [206.108.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2FB52224B3; Sun, 11 Nov 2018 22:33:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541975582; bh=Vu19nf84YFegTf/jGN9rFhkI+R6ZQ77xbKnirTcpA5M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H6tYiDYpabgR0rgd+Y8cDWSOhZ0i/S/jztyyBwxFdBhFzKXvmRzbShUYorwERm8M9 a/FMPW5YVWmYPcMSJLvpmTGE/7WErw0UixajX+rF+jFKG/hAesTA27W9Z/MuePZIWE Bvwinr4/BRZ1SXjI3NWERZI7JIZPU8irxsHWsiRQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Breno Leitao , Jiri Kosina Subject: [PATCH 4.14 141/222] HID: hiddev: fix potential Spectre v1 Date: Sun, 11 Nov 2018 14:23:58 -0800 Message-Id: <20181111221700.125211106@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181111221647.665769131@linuxfoundation.org> References: <20181111221647.665769131@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Breno Leitao commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream. uref->usage_index can be indirectly controlled by userspace, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This field is used as an array index by the hiddev_ioctl_usage() function, when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or HIDIOCSUSAGES. For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to field->maxusage and then used as an index to dereference field->usage array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where uref->usage_index is checked against an array maximum value and then it is used as an index in an array. This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the traditional Spectre V1 first load: copy_from_user(uref, user_arg, sizeof(*uref)) if (uref->usage_index >= field->maxusage) goto inval; i = field->usage[uref->usage_index].collection_index; return i; This patch fixes this by sanitizing field uref->usage_index before using it to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load. Cc: Signed-off-by: Breno Leitao v2: Contemplate cmd == HIDIOC{G,S}USAGES case Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/usbhid/hiddev.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) --- a/drivers/hid/usbhid/hiddev.c +++ b/drivers/hid/usbhid/hiddev.c @@ -512,14 +512,24 @@ static noinline int hiddev_ioctl_usage(s if (cmd == HIDIOCGCOLLECTIONINDEX) { if (uref->usage_index >= field->maxusage) goto inval; + uref->usage_index = + array_index_nospec(uref->usage_index, + field->maxusage); } else if (uref->usage_index >= field->report_count) goto inval; } - if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) && - (uref_multi->num_values > HID_MAX_MULTI_USAGES || - uref->usage_index + uref_multi->num_values > field->report_count)) - goto inval; + if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) { + if (uref_multi->num_values > HID_MAX_MULTI_USAGES || + uref->usage_index + uref_multi->num_values > + field->report_count) + goto inval; + + uref->usage_index = + array_index_nospec(uref->usage_index, + field->report_count - + uref_multi->num_values); + } switch (cmd) { case HIDIOCGUSAGE: