Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2988567imu; Sun, 9 Dec 2018 14:24:30 -0800 (PST) X-Google-Smtp-Source: AFSGD/Xe5+fsvMp7sK47+is3L7iVM+v+NJN+V8UR2ejhheIQSG9KQrIfsJAK1AAqi80F4gE+SKI/ X-Received: by 2002:a17:902:7c0c:: with SMTP id x12mr10142670pll.265.1544394270253; Sun, 09 Dec 2018 14:24:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544394270; cv=none; d=google.com; s=arc-20160816; b=BfF4W8KO4V9MVJuTr2IJmbufUzlo4/ATOvXVFSs+eZWt5SlhirJAGca6Y9GIQqIZGU 8VUMiNVBayxxIiOrtFQujqJXuf4JRkUg3TBBuSCk1zIjhnND6RnUIeK/C+Pt7jgem5ya tdlXj1Efa78F7L/PX+zuWtOjphyh3pB6e5X4uOi68JpDasuWGRkuUePjS/ommSkB0rI8 BIWDX7+vYVKOLAtOHzXLdiAKnuPKXF+tuwNLRr9bZn80gt2uZdpwsj28xHAt3hBSDB3p T9Cu+EiW5578BoBDODhfRexq58LW3hIN9sSRfTgIHiEuRvQfXhtmBODUs7GAV3vbpzTE YebQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=+jbHyOr83hXSlQd2k4lJqgc9BKEBreycu6c078YoxVk=; b=UWiWXVZWHkn5d3NoRC1tOIMdT+I25ON87FDAd3S48LvylEXc5FKeWnRpNUCjjGdz/r rUldZdy//scYVmLpUbjzwBxyuvB9G0W1WtIIgocpIDfUGpeypamecDx20Oi/bZSfaUDO BW0azQcth+Rot5B6gnzcYjkQDqYr29sMDQFJLUBKLg+sjTvRhGim+956GDBm5SmN+FnO IL1+xUo4WTOBbbDw90IWGJo7+20Gl8COr45mWnm6DH6H3xKriW5zTVFuqbGbJKk9i21p Ho5pcbTkySuBe2Cp0A/iQUDjkNOd06eHmTAXWPUC0/+eAPdkrbYKmXyAW9TVYbjULWhH TQow== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w2si8162813pgh.565.2018.12.09.14.24.15; Sun, 09 Dec 2018 14:24:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727792AbeLIWVj (ORCPT + 99 others); Sun, 9 Dec 2018 17:21:39 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35226 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726524AbeLIVzW (ORCPT ); Sun, 9 Dec 2018 16:55:22 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW72l-0002ie-9z; Sun, 09 Dec 2018 21:55:19 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72h-0003ZC-PR; Sun, 09 Dec 2018 21:55:15 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Greg Kroah-Hartman" , "Gustavo A. R. Silva" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 235/328] misc: hmc6352: fix potential Spectre v1 In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: "Gustavo A. R. Silva" commit de916736aaaadddbd6061472969f667b14204aa9 upstream. val is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/misc/hmc6352.c:54 compass_store() warn: potential spectre issue 'map' [r] Fix this by sanitizing val before using it to index map Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Signed-off-by: Gustavo A. R. Silva Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/misc/hmc6352.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/misc/hmc6352.c +++ b/drivers/misc/hmc6352.c @@ -27,6 +27,7 @@ #include #include #include +#include static DEFINE_MUTEX(compass_mutex); @@ -50,6 +51,7 @@ static int compass_store(struct device * return ret; if (val >= strlen(map)) return -EINVAL; + val = array_index_nospec(val, strlen(map)); mutex_lock(&compass_mutex); ret = compass_command(c, map[val]); mutex_unlock(&compass_mutex);