Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp4004977ybd; Tue, 25 Jun 2019 12:16:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqx6UBdu3f9FxvYLBb76pp2itt0o/noF8L8SNBPQuYm76Op1FJ3inRek3zzNgi1h+dwL/utA X-Received: by 2002:a63:f95d:: with SMTP id q29mr4412298pgk.368.1561490212932; Tue, 25 Jun 2019 12:16:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561490212; cv=none; d=google.com; s=arc-20160816; b=qjrPW7ot2n4SY4n0zE6gZXrNgzoBLpqYQn/O5uP7hojFaW4mJB23fRksQN+Giy/YPL oiR6q3pFeOkp3a2z0dZ3p260zPnC/FWhTdQ/sMyEQpbJ2VyZjsQtmEoYeKjqp1KSHu0b rWEphQWjI4e4vLom6pFRXBsOHfmYhiYt/L3bngMWNJQgRtBgdbswphPDFtzt5UOrJA6C SEMicsR4s782ffRkgS/WvOZ62y8jr8J92VlBP0+Qet/Zlkbwo9gTzOhs4CN6ckd0yi4F fmwpSH4vkM/kafEmKkxvkG1vbN7lBrwNeccANqCGrSkyoEm0TNAyzu+HbrFaq+Sui3nr 3ZRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=FFrIqfPVc5gl2KEfpAFI195WSUdWVmRdZsn8j+n7taA=; b=BgMqhlVWnOI+xA80dJmMw1DGkDDBUqG3iYZXMhJ/NIe98Hju25BgqdDbanUwBrUaKW 8/1x3qx0jcVjAftFZDDoRiwZZaL2CzcHOD+WcOJ9UjwHYpP0eiO1z3wnZpKyMG3rmJ/a Ec4nXtOWPgZlvc5kjYhHPo3pHz8bI7PAYkDT165riOn31em0sFOR0YCwGzJi3vHzUasZ MGuw5VVf9kCvs24Bfirq2Bnr4aL8N/wHqQbL+w/PewkMQTM1nUN02lskRHwycicQJ0b1 1wxbiO88RMMLPpVEIN9fxUy3lcCKGEPvSdjK/4UVBChccUsGHL+oSgxJcbEJ/oasIzuF A0GQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=s+vhY6j7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g11si1063297plm.390.2019.06.25.12.16.36; Tue, 25 Jun 2019 12:16:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=s+vhY6j7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732328AbfFYPa2 (ORCPT + 99 others); Tue, 25 Jun 2019 11:30:28 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:40386 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729683AbfFYPa2 (ORCPT ); Tue, 25 Jun 2019 11:30:28 -0400 Received: by mail-pl1-f195.google.com with SMTP id a93so9047901pla.7 for ; Tue, 25 Jun 2019 08:30:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=FFrIqfPVc5gl2KEfpAFI195WSUdWVmRdZsn8j+n7taA=; b=s+vhY6j7H+YWSqe48HW6tZxmlabxJ2syenwjd4RmZJBjpKHXMrBTrZig+dbii3zhhA +VGR1Jab8A4uPk88ZtuDWtnMuCH5r5HiDl8eH0yhOENu+DwXbJoiLA1Whwf4wWM+o1UR YvS3wqKvxshLiVlN2+2V9qLKrw5ZN8kn29edChmgB30MAP3HQGMSn3wpXbC1RncCxWTl WVsqOt/88pwBwr/+icoKD9E3LaSn3y/R5XSwo8+SlJGpTpdO229+GXK7VmRRW3vyLZ3h veyOuQudgCLKeUycWD3mWZypA7RlISjm9BoY51XjfRELcjIZm/EzGdPUSS5M0HiC/0n/ Rllg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=FFrIqfPVc5gl2KEfpAFI195WSUdWVmRdZsn8j+n7taA=; b=tr01R7BZGw0bxh5o55IYB2N3evRYndEJpsA8Hayy389uKuYnHQqRsJXUmtALZ9ONV8 qZnbMEmunXrqrrNxFS9/1KiMR5/gycfOrfgW01A/43G0Rw3qDhNaNVTTjBO1H1bdWOL7 0UZRjRwunbNJAzGrE0D+vdLxE26oJz+A/P1cap7SfM3k9KP44zHKytINpBJnQmRO91C4 /sPTLq1ZvHNNl+hAMX44RJ94N7hxx0jclrOjJFkN6wevhRbjSB1fDbWaMc7eM4pR8Ue+ +ECieuyEREDujxTux7Ri1c5xmvWFicEc65c4F6o7bTYvvv6MIXiHMMOT73n7E35676qC kQBg== X-Gm-Message-State: APjAAAX99OWQDli85X4FdQS9g7k9JJjZfFLZSjCvwTmHqVk5D682DU10 bziSbTbUYBrqPexaPOPDMhE= X-Received: by 2002:a17:902:bb90:: with SMTP id m16mr83984196pls.54.1561476627712; Tue, 25 Jun 2019 08:30:27 -0700 (PDT) Received: from tom-pc.ipads-lab.se.sjtu.edu.cn ([202.120.40.82]) by smtp.gmail.com with ESMTPSA id x23sm22502594pfo.112.2019.06.25.08.30.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Jun 2019 08:30:26 -0700 (PDT) From: Dianzhang Chen To: tglx@linutronix.de Cc: mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org, Dianzhang Chen Subject: [PATCH v2] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() Date: Tue, 25 Jun 2019 23:30:17 +0800 Message-Id: <1561476617-3759-1-git-send-email-dianzhangchen0@gmail.com> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The index to access the threads ptrace_bps is controlled by userspace via syscall: sys_ptrace(), hence, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. The n can be controlled from: ptrace -> arch_ptrace -> ptrace_get_debugreg. Fix this by sanitizing n before using it to index thread->ptrace_bps. Signed-off-by: Dianzhang Chen --- arch/x86/kernel/ptrace.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c index a166c96..cbac646 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c @@ -25,6 +25,7 @@ #include #include #include +#include #include #include @@ -643,9 +644,11 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n) { struct thread_struct *thread = &tsk->thread; unsigned long val = 0; + int index = n; if (n < HBP_NUM) { - struct perf_event *bp = thread->ptrace_bps[n]; + index = array_index_nospec(index, HBP_NUM); + struct perf_event *bp = thread->ptrace_bps[index]; if (bp) val = bp->hw.info.address; -- 2.7.4