Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3429580imu;
        Sun, 11 Nov 2018 14:55:25 -0800 (PST)
X-Google-Smtp-Source: AJdET5fer1WG2R9ljLpICOID9YaSNtXdal28QL9gyjgGrTGpOyXwiF8O7KTa6q9VkvYUhWEDeb2N
X-Received: by 2002:a17:902:6686:: with SMTP id e6-v6mr17569172plk.173.1541976925839;
        Sun, 11 Nov 2018 14:55:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1541976925; cv=none;
        d=google.com; s=arc-20160816;
        b=t8nxMCJsE4bmPfQrtuInzTyrYkj4J2QUf7oUeoduWBRuxN+JHdq9UV40jRb5EemUqn
         6bEiKY/8qMtRc5xt92z5F9w7NpTxDYD7LPbd/Kzdd5k1pUPRABATN0JVPdFkqOzthsNV
         DByvsWF451Z6Gr38ccYc2Z86B2zh1pTZAPlS5RXIeBOdKfmO4xRBdICmNXdtzViedlax
         XVAbkAR+J2QsfnluT3mD9o9HtPuGD2BH8qPBbVcLSomV62Cduav7+Gevav3IHQ+YBDrS
         UiwibCtr96BebU/iG/S9sLdWQYZm2jApmwIZEt46PgR0vJh3Xbd1aNf8L7GmhkIS2mL4
         LKZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=U0rVX7Cg5TiKCtb6TtfmXRzx/6oE2NSW3W7gVh/iyVw=;
        b=T+R53kKa1XSc6YLuV81q5XjrU4JYFp5jBbrqgVqi2T++du2xwXBdfjZ4RHYNI+yI3n
         dxIXQ6GicY0wDl/R6ZmeO8j16JqIi1AYiSGzhsPA/h0qctoY3A8qfniMMmf4y9DNE+Y8
         zxd7IGMF3Zll/i+9L+ViZ8tz29WNOhIIhMRicu2Dgg2V3zgvU4jem1gp6ulPltzD29jr
         wOpkR0nYIxu16lU2OspU61lvAJgW5vV06UENEmgjMpdZb3GULb7oCHRK7EuBbr0SXzWf
         62w4tgX3d9saZtrslSr8QoFBOLq4ydiM05aH83bbHcyLzkBidKSAwSt5/HdyfZoMAO5W
         5ZfQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=H6tYiDYp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w17si8390263pgl.6.2018.11.11.14.55.11;
        Sun, 11 Nov 2018 14:55:25 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=H6tYiDYp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390871AbeKLInn (ORCPT <rfc822;hubert.jasudowicz@gmail.com>
        + 99 others); Mon, 12 Nov 2018 03:43:43 -0500
Received: from mail.kernel.org ([198.145.29.99]:54620 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2404015AbeKLIW7 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Nov 2018 03:22:59 -0500
Received: from localhost (unknown [206.108.79.134])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 2FB52224B3;
        Sun, 11 Nov 2018 22:33:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1541975582;
        bh=Vu19nf84YFegTf/jGN9rFhkI+R6ZQ77xbKnirTcpA5M=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=H6tYiDYpabgR0rgd+Y8cDWSOhZ0i/S/jztyyBwxFdBhFzKXvmRzbShUYorwERm8M9
         a/FMPW5YVWmYPcMSJLvpmTGE/7WErw0UixajX+rF+jFKG/hAesTA27W9Z/MuePZIWE
         Bvwinr4/BRZ1SXjI3NWERZI7JIZPU8irxsHWsiRQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Breno Leitao <leitao@debian.org>,
        Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH 4.14 141/222] HID: hiddev: fix potential Spectre v1
Date:   Sun, 11 Nov 2018 14:23:58 -0800
Message-Id: <20181111221700.125211106@linuxfoundation.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181111221647.665769131@linuxfoundation.org>
References: <20181111221647.665769131@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Breno Leitao <leitao@debian.org>

commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream.

uref->usage_index can be indirectly controlled by userspace, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.

This field is used as an array index by the hiddev_ioctl_usage() function,
when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
HIDIOCSUSAGES.

For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
field->maxusage and then used as an index to dereference field->usage
array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
uref->usage_index is checked against an array maximum value and then it is
used as an index in an array.

This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
traditional Spectre V1 first load:

	copy_from_user(uref, user_arg, sizeof(*uref))
	if (uref->usage_index >= field->maxusage)
		goto inval;
	i = field->usage[uref->usage_index].collection_index;
	return i;

This patch fixes this by sanitizing field uref->usage_index before using it
to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.

Cc: <stable@vger.kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
v2: Contemplate cmd == HIDIOC{G,S}USAGES case
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/usbhid/hiddev.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -512,14 +512,24 @@ static noinline int hiddev_ioctl_usage(s
 			if (cmd == HIDIOCGCOLLECTIONINDEX) {
 				if (uref->usage_index >= field->maxusage)
 					goto inval;
+				uref->usage_index =
+					array_index_nospec(uref->usage_index,
+							   field->maxusage);
 			} else if (uref->usage_index >= field->report_count)
 				goto inval;
 		}
 
-		if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-		    (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-		     uref->usage_index + uref_multi->num_values > field->report_count))
-			goto inval;
+		if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) {
+			if (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+			    uref->usage_index + uref_multi->num_values >
+			    field->report_count)
+				goto inval;
+
+			uref->usage_index =
+				array_index_nospec(uref->usage_index,
+						   field->report_count -
+						   uref_multi->num_values);
+		}
 
 		switch (cmd) {
 		case HIDIOCGUSAGE: