Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp5903728imb;
        Fri, 8 Mar 2019 05:08:59 -0800 (PST)
X-Google-Smtp-Source: APXvYqzadRDVR+pgTFldjA2TkF13WleAN2psCgbkrT7+qtyltt8Ut/Dhb318v3dyXxe4EOW5kFvZ
X-Received: by 2002:a17:902:7682:: with SMTP id m2mr18971281pll.311.1552050539855;
        Fri, 08 Mar 2019 05:08:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1552050539; cv=none;
        d=google.com; s=arc-20160816;
        b=YDaVvuqcX6092idVS4PfwRc7reWMkd0OhgIn6Um2HT7PWE8PbWjw4/04eCI6D/RwdQ
         JdRNg+FhER0Gr5pIBBYzQ4sAc8/ppT08q0G2zgdaLivCtBFIgdWOxNvrER/jmedVhlvj
         XLQfLiDWi85r1RORfSz9kTr8YKBJUnXPbF75tzsMS7fnVwgZupNAxqdVDHZf7ZLRoygr
         lJRJi3W1SM5532Mf9Pd5EvD77P/PgKqI9hnAdf+ZQTVHomWzVIZxqz3qIOOR/VZ3h73n
         kjcvZqKxxh48aPsQyqJ1KRXf3+9ED/8V0RQqzsBPlyY+2Bwskeu50FUT3CTCrt2vIuS3
         vQvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=3/3qODVrG9KrybKEgZ/ZvIPVZRYlMLZhfjfsaq2vBqI=;
        b=RWSyDfqw3TRLTONmISgMXgTFvKfUbaBaAdUOs3kW7Ztgex6hOvPPw3s0qyPt5j0nDl
         WLRF/BFZxTvC8VAXtNR0zpUvZmMUgNq9++c7F6UhK3jKiNSf7b82udd0O3QN6wYeuKc7
         3wv3Q82LT5zoUCV/q6l/gBNyDTMwAbe9WPIFK3H/8KLisOO6YhDfB4kcUoJ5KWElX/9B
         7Syaoa/cWMISH1M0NxoSKrm3yzr34wqJ42lDWl1/dxjNlM2ShmJ0LJUGnD/zfpgZre/8
         SPKEpEGnbhL8xEDh+dz2RwvnzGn4dPQNBaQic9JwRL+vI4cOWZdV7kZ9AaBiTYXNrbwK
         uXLA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=vpKSb1+Y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n16si6716687pgj.27.2019.03.08.05.08.44;
        Fri, 08 Mar 2019 05:08:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=vpKSb1+Y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727154AbfCHMxb (ORCPT <rfc822;zhangckid@gmail.com> + 99 others);
        Fri, 8 Mar 2019 07:53:31 -0500
Received: from mail.kernel.org ([198.145.29.99]:57162 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727141AbfCHMx1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Mar 2019 07:53:27 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 20C7D20684;
        Fri,  8 Mar 2019 12:53:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1552049606;
        bh=RmUB11PO3CjNsQxc99UWf462Sxc+WuJSoxVUvFm8mgM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=vpKSb1+YYoCf26SLvaqjr8iV/SFYCkjA6TXmnpwERbKnYMezHn/7QW+haFKBFKhLE
         pTgEyQ4gt5iBt2OqJVzmLr0Rx9azHtOrMyIbg3c7HZ4eOL4AE4sQnEKDOVbYDniZdZ
         NDD+uOJtdEFA7KanIo2VgRVe+aIH1gDGEoteWMFw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Subject: [PATCH 5.0 34/46] applicom: Fix potential Spectre v1 vulnerabilities
Date:   Fri,  8 Mar 2019 13:50:07 +0100
Message-Id: <20190308124904.465092673@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190308124902.257040783@linuxfoundation.org>
References: <20190308124902.257040783@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

5.0-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

commit d7ac3c6ef5d8ce14b6381d52eb7adafdd6c8bb3c upstream.

IndexCard is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/char/applicom.c:418 ac_write() warn: potential spectre issue 'apbs' [r]
drivers/char/applicom.c:728 ac_ioctl() warn: potential spectre issue 'apbs' [r] (local cap)

Fix this by sanitizing IndexCard before using it to index apbs.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/applicom.c |   35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

--- a/drivers/char/applicom.c
+++ b/drivers/char/applicom.c
@@ -32,6 +32,7 @@
 #include <linux/wait.h>
 #include <linux/init.h>
 #include <linux/fs.h>
+#include <linux/nospec.h>
 
 #include <asm/io.h>
 #include <linux/uaccess.h>
@@ -386,7 +387,11 @@ static ssize_t ac_write(struct file *fil
 	TicCard = st_loc.tic_des_from_pc;	/* tic number to send            */
 	IndexCard = NumCard - 1;
 
-	if((NumCard < 1) || (NumCard > MAX_BOARD) || !apbs[IndexCard].RamIO)
+	if (IndexCard >= MAX_BOARD)
+		return -EINVAL;
+	IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
+
+	if (!apbs[IndexCard].RamIO)
 		return -EINVAL;
 
 #ifdef DEBUG
@@ -697,6 +702,7 @@ static long ac_ioctl(struct file *file,
 	unsigned char IndexCard;
 	void __iomem *pmem;
 	int ret = 0;
+	static int warncount = 10;
 	volatile unsigned char byte_reset_it;
 	struct st_ram_io *adgl;
 	void __user *argp = (void __user *)arg;
@@ -711,16 +717,12 @@ static long ac_ioctl(struct file *file,
 	mutex_lock(&ac_mutex);	
 	IndexCard = adgl->num_card-1;
 	 
-	if(cmd != 6 && ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) {
-		static int warncount = 10;
-		if (warncount) {
-			printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number %d\n",(int)IndexCard+1);
-			warncount--;
-		}
-		kfree(adgl);
-		mutex_unlock(&ac_mutex);
-		return -EINVAL;
-	}
+	if (cmd != 6 && IndexCard >= MAX_BOARD)
+		goto err;
+	IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
+
+	if (cmd != 6 && !apbs[IndexCard].RamIO)
+		goto err;
 
 	switch (cmd) {
 		
@@ -838,5 +840,16 @@ static long ac_ioctl(struct file *file,
 	kfree(adgl);
 	mutex_unlock(&ac_mutex);
 	return 0;
+
+err:
+	if (warncount) {
+		pr_warn("APPLICOM driver IOCTL, bad board number %d\n",
+			(int)IndexCard + 1);
+		warncount--;
+	}
+	kfree(adgl);
+	mutex_unlock(&ac_mutex);
+	return -EINVAL;
+
 }