Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp159380pxb; Mon, 31 Jan 2022 18:11:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJwn2BhgVb8Z0EGascGJ52UeWpDvH8/kokKhM6vXGXcqOs0xF3e/G8rXAxibv8GgrWYEmTM+ X-Received: by 2002:a17:90b:38c9:: with SMTP id nn9mr360008pjb.47.1643681469948; Mon, 31 Jan 2022 18:11:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643681469; cv=none; d=google.com; s=arc-20160816; b=Ev9rkSY6yczAZMO2CfpXIgUWrCybWf+Wo1R1CMeR9I5N7jLnCNTtCgk88YzswME9Yx oUkuvtMPvyjnimSysBB0HTXfuakJLytMdwSaU8OXs+UXcOe0qGJC7Az/BkPF920MvrfF o1B4/EebxThoZJ9gaQyjq0fErZ4J/JiQXlp4t+8+HuTq0VCru2y76w+k1w1LgAtczm2Q oEVxAnFKRyqN7z+k2YkLVMzkmhvTZ2U8tucLUdb5uBjdp3igwdobJCLE0i1N9exGYWbV f6JcqH03qXfAhIUHMQXsr6aELBU3kif/F5hmeikBbgxn0K/dSgj8YcuXQ4sxblvDwb6p FVfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=QbFa227xCy68t9xwSPCN2eZbQeWk/vnf0G4uVSw9zyo=; b=U2W0/DAjZmXcA8HPu4HtOYYMRWFc0zXHdWu/FWpQGAQZSbkG0ioSlL/r6bIuuY0LAZ q5khotO/jTFNwkKpebZ23EvFuNyD1Vv//dFMcqWDPNr69JIAizgUvBR/mg/wxjOgOfkm v3bvo6sYyfPvFspXvMsayAFbzZ/yrYgxSnWKb0/MReK8iN1VIgSANbC3nXGPQvTHJgUh +PJEb6gxTLRu1oIqhLTqwjKVCml3OaeRTeGyFuHM7L+F4GzHeiVQHPE/krfuogA1rmla xNGjuTIVOqVA0La+3BC3jyVmlmg7wUe++91KsnGE/McYs3P3lu4IcvVSKwmNyUURLwTr iuQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u22si942798pjx.70.2022.01.31.18.10.58; Mon, 31 Jan 2022 18:11:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238658AbiA2Oht (ORCPT + 99 others); Sat, 29 Jan 2022 09:37:49 -0500 Received: from h2.fbrelay.privateemail.com ([131.153.2.43]:45151 "EHLO h2.fbrelay.privateemail.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230431AbiA2Oho (ORCPT ); Sat, 29 Jan 2022 09:37:44 -0500 Received: from MTA-12-4.privateemail.com (mta-12-1.privateemail.com [198.54.122.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by h1.fbrelay.privateemail.com (Postfix) with ESMTPS id 2B2201806B6E for ; Sat, 29 Jan 2022 09:37:43 -0500 (EST) Received: from mta-12.privateemail.com (localhost [127.0.0.1]) by mta-12.privateemail.com (Postfix) with ESMTP id 722A818000AE; Sat, 29 Jan 2022 09:37:41 -0500 (EST) Received: from localhost.localdomain (unknown [10.20.151.157]) by mta-12.privateemail.com (Postfix) with ESMTPA id 168591800350; Sat, 29 Jan 2022 09:37:39 -0500 (EST) From: Jordy Zomer To: linux-kernel@vger.kernel.org Cc: Jordy Zomer , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Subject: [PATCH] dm ioct: prevent potential specter v1 gadget Date: Sat, 29 Jan 2022 15:37:22 +0100 Message-Id: <20220129143722.3460829-1-jordy@pwning.systems> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org It appears like cmd could be a Spectre v1 gadget as it's supplied by a user and used as an array index. Prevent the contents of kernel memory from being leaked to userspace via speculative execution by using array_index_nospec. Signed-off-by: Jordy Zomer --- drivers/md/dm-ioctl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 21fe8652b095..0c1f9983f080 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1788,6 +1788,7 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags) if (unlikely(cmd >= ARRAY_SIZE(_ioctls))) return NULL; + cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls)); *ioctl_flags = _ioctls[cmd].flags; return _ioctls[cmd].fn; } -- 2.27.0