Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp159380pxb;
        Mon, 31 Jan 2022 18:11:10 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwn2BhgVb8Z0EGascGJ52UeWpDvH8/kokKhM6vXGXcqOs0xF3e/G8rXAxibv8GgrWYEmTM+
X-Received: by 2002:a17:90b:38c9:: with SMTP id nn9mr360008pjb.47.1643681469948;
        Mon, 31 Jan 2022 18:11:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643681469; cv=none;
        d=google.com; s=arc-20160816;
        b=Ev9rkSY6yczAZMO2CfpXIgUWrCybWf+Wo1R1CMeR9I5N7jLnCNTtCgk88YzswME9Yx
         oUkuvtMPvyjnimSysBB0HTXfuakJLytMdwSaU8OXs+UXcOe0qGJC7Az/BkPF920MvrfF
         o1B4/EebxThoZJ9gaQyjq0fErZ4J/JiQXlp4t+8+HuTq0VCru2y76w+k1w1LgAtczm2Q
         oEVxAnFKRyqN7z+k2YkLVMzkmhvTZ2U8tucLUdb5uBjdp3igwdobJCLE0i1N9exGYWbV
         f6JcqH03qXfAhIUHMQXsr6aELBU3kif/F5hmeikBbgxn0K/dSgj8YcuXQ4sxblvDwb6p
         FVfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=QbFa227xCy68t9xwSPCN2eZbQeWk/vnf0G4uVSw9zyo=;
        b=U2W0/DAjZmXcA8HPu4HtOYYMRWFc0zXHdWu/FWpQGAQZSbkG0ioSlL/r6bIuuY0LAZ
         q5khotO/jTFNwkKpebZ23EvFuNyD1Vv//dFMcqWDPNr69JIAizgUvBR/mg/wxjOgOfkm
         v3bvo6sYyfPvFspXvMsayAFbzZ/yrYgxSnWKb0/MReK8iN1VIgSANbC3nXGPQvTHJgUh
         +PJEb6gxTLRu1oIqhLTqwjKVCml3OaeRTeGyFuHM7L+F4GzHeiVQHPE/krfuogA1rmla
         xNGjuTIVOqVA0La+3BC3jyVmlmg7wUe++91KsnGE/McYs3P3lu4IcvVSKwmNyUURLwTr
         iuQA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u22si942798pjx.70.2022.01.31.18.10.58;
        Mon, 31 Jan 2022 18:11:09 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238658AbiA2Oht (ORCPT <rfc822;sshegde.linux@gmail.com>
        + 99 others); Sat, 29 Jan 2022 09:37:49 -0500
Received: from h2.fbrelay.privateemail.com ([131.153.2.43]:45151 "EHLO
        h2.fbrelay.privateemail.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S230431AbiA2Oho (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 29 Jan 2022 09:37:44 -0500
Received: from MTA-12-4.privateemail.com (mta-12-1.privateemail.com [198.54.122.106])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by h1.fbrelay.privateemail.com (Postfix) with ESMTPS id 2B2201806B6E
        for <linux-kernel@vger.kernel.org>; Sat, 29 Jan 2022 09:37:43 -0500 (EST)
Received: from mta-12.privateemail.com (localhost [127.0.0.1])
        by mta-12.privateemail.com (Postfix) with ESMTP id 722A818000AE;
        Sat, 29 Jan 2022 09:37:41 -0500 (EST)
Received: from localhost.localdomain (unknown [10.20.151.157])
        by mta-12.privateemail.com (Postfix) with ESMTPA id 168591800350;
        Sat, 29 Jan 2022 09:37:39 -0500 (EST)
From:   Jordy Zomer <jordy@pwning.systems>
To:     linux-kernel@vger.kernel.org
Cc:     Jordy Zomer <jordy@pwning.systems>,
        Alasdair Kergon <agk@redhat.com>,
        Mike Snitzer <snitzer@redhat.com>, dm-devel@redhat.com
Subject: [PATCH] dm ioct: prevent potential specter v1 gadget
Date:   Sat, 29 Jan 2022 15:37:22 +0100
Message-Id: <20220129143722.3460829-1-jordy@pwning.systems>
X-Mailer: git-send-email 2.27.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

It appears like cmd could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents
of kernel memory from being leaked to userspace via speculative
execution by using array_index_nospec.

Signed-off-by: Jordy Zomer <jordy@pwning.systems>
---
 drivers/md/dm-ioctl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 21fe8652b095..0c1f9983f080 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1788,6 +1788,7 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
 	if (unlikely(cmd >= ARRAY_SIZE(_ioctls)))
 		return NULL;
 
+	cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls));
 	*ioctl_flags = _ioctls[cmd].flags;
 	return _ioctls[cmd].fn;
 }
-- 
2.27.0