Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3715160imu; Mon, 28 Jan 2019 09:30:59 -0800 (PST) X-Google-Smtp-Source: ALg8bN56WmFgUh0kfVLry+6Z5M8asF8215bvSuD4dqxNa6aIXaNBA/siiT1N9nRukPD+4NmqI1ZL X-Received: by 2002:a62:61c3:: with SMTP id v186mr22925810pfb.55.1548696659504; Mon, 28 Jan 2019 09:30:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548696659; cv=none; d=google.com; s=arc-20160816; b=VC/N4+AEAywgd1lIpUcPrdhznv0pOtiylD1se8aoRsBgnU69disbccYYdhD2BmX8SF 42XS7BnoEP0aKEzE4MCmiJIqi7ifZ69B4oIafXe9qVLE05NHxJJN0p2suqbaEdtm56Hd G0SrXYHUClNFqtC7AhT0cBntEWyGGnEU1A243QIdaj/jPy9s6SgjYeDuAhOU7A/aRlEC gBreCpHCj5e8IV6d0dSeER7N8XhFvGuJhy3IlZN/qpbHGtUGYi1Wl2fkOHg8pb1BN020 8gZKk+crzQtnTbawZVyFA3F+QpUV3O9lgl3HjIC9/LgJzoZFbtVjtMHSU1HiSIRQrK8e ppuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=3uCA3DF9Os1qwQlTR6ACUx1pMxxPf2WE/tgsdv1ffO4=; b=cLfZrF7VKqwaVX2iC5dnK0KBaYUDqqI81u6eTb9BU40KheNpGf10qeoEfURv5j7qzc rR7i+ArxJ6ZZ6nZQukB8wPDR94l+7f0ufGgTPdugnLn5XkucPPwFvhD/yKpBYql/Lw+O AwOaHATGtOX7gWxF3HxSymEWE8ayhTRadI5PF4Cq1O8P1T4wrjm1wn3rnqC0t+1wA4zi 01BDVT9Ds2F8BsJh64i7xBzsGerZxaxIWx6PsGnagy47YRH1Y55DEaJ6CO8FpHQQciPw eCCoyW7il1yWfoqF5LbCPEd5oOsUy+udFX9LF0rse1q3VU0sQ8C5B2DdbcrSPpcA0pbj MPxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=d5OM+q3B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u23si3191215pfi.175.2019.01.28.09.30.44; Mon, 28 Jan 2019 09:30:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=d5OM+q3B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730304AbfA1P7c (ORCPT + 99 others); Mon, 28 Jan 2019 10:59:32 -0500 Received: from mail.kernel.org ([198.145.29.99]:44808 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727635AbfA1P7a (ORCPT ); Mon, 28 Jan 2019 10:59:30 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9EDBC2082E; Mon, 28 Jan 2019 15:59:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548691169; bh=nTw80dbxyxLqJGQAux0HYYBdFmCk1ufKrbHClGiizjY=; h=From:To:Cc:Subject:Date:From; b=d5OM+q3BZSf6tH9WQEU6b6CW9WrIfLNvk0BeTfBVYD7UQvR3I5h6GKITjKvC8+Rfh hPTO5TaO8f2dYST3Fyt7+SeTTOeSjlZTYRUwEckLwcRz5GMFpKJgDiuvxz1edA0pgG Lob7bQL1kM7MFB01DKdzCVd+l0M+OgXldElZ4k14= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: "Gustavo A. R. Silva" , Daniel Vetter , Sasha Levin , dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 4.19 001/258] drm/bufs: Fix Spectre v1 vulnerability Date: Mon, 28 Jan 2019 10:55:07 -0500 Message-Id: <20190128155924.51521-1-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Gustavo A. R. Silva" [ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ] idx can be indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential spectre issue 'dma->buflist' [r] (local cap) Fix this by sanitizing idx before using it to index dma->buflist Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Signed-off-by: Gustavo A. R. Silva Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com Signed-off-by: Sasha Levin --- drivers/gpu/drm/drm_bufs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c index ba8cfe65c65b..e2f775d1c112 100644 --- a/drivers/gpu/drm/drm_bufs.c +++ b/drivers/gpu/drm/drm_bufs.c @@ -36,6 +36,8 @@ #include #include "drm_legacy.h" +#include + static struct drm_map_list *drm_find_matching_map(struct drm_device *dev, struct drm_local_map *map) { @@ -1417,6 +1419,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data, idx, dma->buf_count - 1); return -EINVAL; } + idx = array_index_nospec(idx, dma->buf_count); buf = dma->buflist[idx]; if (buf->file_priv != file_priv) { DRM_ERROR("Process %d freeing buffer not owned\n", -- 2.19.1