Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp517823imu; Thu, 20 Dec 2018 00:26:54 -0800 (PST) X-Google-Smtp-Source: AFSGD/UV05lMACqeFKlyB/1A1QLkW5MOcuEb1hBLxTQ2hmxJJ4JX8ClbBstl+F/NNIKtSKCdYIPk X-Received: by 2002:a62:c42:: with SMTP id u63mr22935500pfi.73.1545294414370; Thu, 20 Dec 2018 00:26:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545294414; cv=none; d=google.com; s=arc-20160816; b=W42cBU9rcbId6GKPgIExpfmF7K8L5RFzcyD1AetbE+I/K1INpnKlBlZBXcFxfakLyN slYrhcjL3Hk5W7xk1JcROX6nGnuvxleEo7ZKVKmgGuKjDNjflDFJuivRVaOYK7/Gk2Iw ilI2ZUbO11cq5SgCWSjKQLW8Jjvx2REaXI9lywEMCtwifPMGvFDevhIFcSb1XTA/JFP0 O7Qr6QrqQwc6sq9lmPHliCbWezhZZ/DvIwPygaDiPFVH8FUZ9XtndRkB/nnquPoKD87U 8mrpf5xvXKl4RSl90p7DcIHZD6x2mNT+eIoCqK1CcFBbCmZlGIrIjgBF3PDv3Zq/4IUs tgew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=WbxJF9mqsYoKKUKwU+h+kSxEYT9ed4xvSgf/F/vUVD0=; b=pZzrQjIfS+0bk9yx1hq7ssaEKNzGIXS8VmKzVI6j27i5zYCXkiss1a9EJdSC2nOvKo PbT0aP+X6XN5SYMTaZxWLNVWNIX4U+rC/BdhR7GLGi52Y4lojhbdgD7LNJmEM0Gpzwwh ATPOs2YHxOZNtoEv9KoZD5K8Go9mHGqIOhYpi50ZdeASJD2NKNuehocJBrGuKlmBPSj5 BCe36doXiCD0oSny8/SDx/+cg6JuOd3whQ+7ognA/oc5DVur2OtrDJAeULFr7ZiBgsx3 gYDMe93/cEEjClri7sX3aa3usYNl2pRo3g3Vd2LprCtMmFyS/OMk9kXnh3iwhTFOd9Y1 3x4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b="dtj/iQxh"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k91si2123335pld.283.2018.12.20.00.26.39; Thu, 20 Dec 2018 00:26:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b="dtj/iQxh"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730193AbeLTHOK (ORCPT + 99 others); Thu, 20 Dec 2018 02:14:10 -0500 Received: from mail-ed1-f66.google.com ([209.85.208.66]:40991 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727644AbeLTHOJ (ORCPT ); Thu, 20 Dec 2018 02:14:09 -0500 Received: by mail-ed1-f66.google.com with SMTP id g19so816869edy.8 for ; Wed, 19 Dec 2018 23:14:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=WbxJF9mqsYoKKUKwU+h+kSxEYT9ed4xvSgf/F/vUVD0=; b=dtj/iQxhvTO8ClmK43GPiUX3H+xlLGssJJwuzQbGSEOB4ajRK/9+kaPgdQrv022n9B r03zfhnZrIhU1bneZi6ikaFaglkXNNLhaTtKw+bj8/DJTS2EZbsCAIuZZQDa7KM+2Kkp YE4psXbjoDlh19X+2GWn2VdHBNni011A5rrZ8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=WbxJF9mqsYoKKUKwU+h+kSxEYT9ed4xvSgf/F/vUVD0=; b=NTkVbgGTkwHronQJBoS0aQwU9EYqFZwuKCKjCVnZ2E9KdFdoXa8cyJ9a/BsBrhShb7 e8np8ZbhjadSquvu77qo+wKnTbZdWwVqNkM8XS7lCzJO8KJzitzJW587c6okeLqz6ZgC U0tptkjzydi1otg2PWqI2tcBmlDQYmChtHWjX8g66PXtG8faEbDcT2vedP0VFO1S42ab VM7CVEIAs+yAnlroLyTRJTPlKgymVHVcdvfeNgKvR0w+KLAXF8WFjJP0c5EIV4rcCMt0 hXAD054IOuH3LcVTzAZuGggCZ8o55GNaZsabS0fz2GFp8z3/cjfUdT2lAWnL28W4Muqu 4aNQ== X-Gm-Message-State: AA+aEWaBTB0lSWptfTpf0JIEITmsdZMSH0fCqRF+SOeLrSjIgmOKttk7 7qHiN4X6P4zfTVMaaMX5cA+uXSp7vv8= X-Received: by 2002:a50:b536:: with SMTP id y51mr22136940edd.201.1545290047921; Wed, 19 Dec 2018 23:14:07 -0800 (PST) Received: from phenom.ffwll.local ([2a02:168:569e:0:3106:d637:d723:e855]) by smtp.gmail.com with ESMTPSA id e53sm5957653ede.90.2018.12.19.23.14.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 19 Dec 2018 23:14:06 -0800 (PST) Date: Thu, 20 Dec 2018 08:14:05 +0100 From: Daniel Vetter To: "Gustavo A. R. Silva" Cc: Maarten Lankhorst , Maxime Ripard , Sean Paul , David Airlie , Daniel Vetter , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] drm/ioctl: Fix Spectre v1 vulnerabilities Message-ID: <20181220071404.GD21184@phenom.ffwll.local> Mail-Followup-To: "Gustavo A. R. Silva" , Maarten Lankhorst , Maxime Ripard , Sean Paul , David Airlie , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org References: <20181220000015.GA18973@embeddedor> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181220000015.GA18973@embeddedor> X-Operating-System: Linux phenom 4.18.0-2-amd64 User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Dec 19, 2018 at 06:00:15PM -0600, Gustavo A. R. Silva wrote: > nr is indirectly controlled by user-space, hence leading to a > potential exploitation of the Spectre variant 1 vulnerability. > > This issue was detected with the help of Smatch: > > drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r] > drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap) > drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap) > > Fix this by sanitizing nr before using it to index dev->driver->ioctls > and drm_ioctls. > > Notice that given that speculation windows are large, the policy is > to kill the speculation on the first load and not worry if it can be > completed with a dependent load/store [1]. > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > Cc: stable@vger.kernel.org > Signed-off-by: Gustavo A. R. Silva lgtm and I think there's no other obvious place where we need array_index_nospec in drm core. Applied to drm-misc-fixes. -Daniel > --- > drivers/gpu/drm/drm_ioctl.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c > index 94bd872d56c4..7e6746b2d704 100644 > --- a/drivers/gpu/drm/drm_ioctl.c > +++ b/drivers/gpu/drm/drm_ioctl.c > @@ -37,6 +37,7 @@ > > #include > #include > +#include > > /** > * DOC: getunique and setversion story > @@ -800,13 +801,17 @@ long drm_ioctl(struct file *filp, > > if (is_driver_ioctl) { > /* driver ioctl */ > - if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls) > + unsigned int index = nr - DRM_COMMAND_BASE; > + > + if (index >= dev->driver->num_ioctls) > goto err_i1; > - ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE]; > + index = array_index_nospec(index, dev->driver->num_ioctls); > + ioctl = &dev->driver->ioctls[index]; > } else { > /* core ioctl */ > if (nr >= DRM_CORE_IOCTL_COUNT) > goto err_i1; > + nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT); > ioctl = &drm_ioctls[nr]; > } > > @@ -888,6 +893,7 @@ bool drm_ioctl_flags(unsigned int nr, unsigned int *flags) > > if (nr >= DRM_CORE_IOCTL_COUNT) > return false; > + nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT); > > *flags = drm_ioctls[nr].flags; > return true; > -- > 2.20.1 > -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch