Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1374107pxb; Wed, 2 Feb 2022 03:36:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJyBsMEZ+Flp8ln80vpnCqmzzoFyuhYOJMyGohGxTMt7fQfYeqqtUMTWP9d10gDPGEGO26bO X-Received: by 2002:aa7:d7c8:: with SMTP id e8mr30005628eds.110.1643801799893; Wed, 02 Feb 2022 03:36:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643801799; cv=none; d=google.com; s=arc-20160816; b=R7JoY8Acmjmb0gZBe+w9RwpmvMsVlV0jZYBlRfx0TWoQdjdYQti7V0y1xSinTfWKGu FIx+5KWeKD+8OED34pUhFY/0UAV4UNx2Z1whG/qDQJPpP+OB06rt03nDZZolBgiegSUc SmlviWx27NXK1N8dYyIYCjUN7p+pMoxtxm9g/gP4Is1wzoOhLaXEBdxdLbk2AG3FXGBP quOOq87l2BDLcNsiDPTCUkHvii1qu7rcGApSDoHFyRCtt73OtT8Za+y0iITDz9WxM6Cd CcJG4itDQcEELIdrpzdp0hf4KOKdXqBl2658Ol5Rh50qd+4S6toqY5SKTUBkSUHuTMfp 6mCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=94jl7YObYrXFSC14kUzfsAV8hjUfvz3wDXTuryQvnig=; b=ZB60XLFZVIUxSR7NIiRLucBzpuXaGPPop9sepCUVyxEIq0pKXD7+1RnpN+ZEEbpnbD wyZkOtCO/NcQC6pZvtRrbuCyFoLzsbtZmz8AhEr57gelDS/Yqte/d+PbZUSNWbA+fGcL WpbWu9q81kPlFWcNSYu7/uPZmhLheROFpZk0vMVFbtLi5LFpItr7jle5qT+kWeZSMMhq xh/6xp0hxBE3PZh2krWssUY5pl4rKiLPwcvhXJV9XTfOsTvDYWvfPuui7XFG9/PTtn0Q Jt6RF3ds9R585ARoLhwsbj9fXxNdXtMuLSQtL1vOJaURrZS+BYOffrnsmc633Hpb6fpW JhyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tXVLUGDj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r17si11392434edx.126.2022.02.02.03.36.14; Wed, 02 Feb 2022 03:36:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tXVLUGDj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244905AbiBBKW7 (ORCPT + 99 others); Wed, 2 Feb 2022 05:22:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41780 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238513AbiBBKW6 (ORCPT ); Wed, 2 Feb 2022 05:22:58 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A047C061714 for ; Wed, 2 Feb 2022 02:22:58 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E657361582 for ; Wed, 2 Feb 2022 10:22:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4EA49C340F0 for ; Wed, 2 Feb 2022 10:22:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1643797377; bh=1g6pR90DmE3D5PkPmqUdmdNaw8tNm6G02ZzFamE9Lq0=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=tXVLUGDjsHzDsLHY+60iVaFROuDIexO8Tdmj1lPfp0poEbqCkf7x2jysCo07Mip8S 5Z2OHVBFuNjWZLHGT5TJiOCA+Kv3JgFzO6DODYSJk39SU22K6MnwlrciGuMcfQBZgG VaR8EWw5LNIrqcy72TR13b764tjZYUq1dj6eLzwmfGomNzhu5BoyiAO1A3tHuPdj3c yw4MKgyE572mwdpe7Zoz5xa26OBiZg/rk5nqSFaZ7OM+cpKougl0f8vFMrTwiOXBWn DyYkPQdU97Akl+8ZUJ2b2COITg8tdljZ8z4MfzrsOmqzyKfgp4F/ynChX/td5cR6M3 eyvzuyLG/XShQ== Received: by mail-yb1-f174.google.com with SMTP id p5so59323271ybd.13 for ; Wed, 02 Feb 2022 02:22:57 -0800 (PST) X-Gm-Message-State: AOAM530ajUSrI2HAhKvF7vnmbpc/7Si+aGEdNKy8/R48ySh9rad8Jztq NpCphS/NBHLq/Yyu6WUg1gZst51JrGrort4iLoA= X-Received: by 2002:a5b:48:: with SMTP id e8mr29816093ybp.64.1643797376434; Wed, 02 Feb 2022 02:22:56 -0800 (PST) MIME-Version: 1.0 References: <20220201172424.3509544-1-jordy@pwning.systems> In-Reply-To: From: Oded Gabbay Date: Wed, 2 Feb 2022 12:22:29 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] habanalabs: fix potential spectre v1 gadgets To: Jordy Zomer Cc: "Linux-Kernel@Vger. Kernel. Org" , Arnd Bergmann , Greg Kroah-Hartman , Ofir Bitton , Dani Liberman , Tomer Tayar , Koby Elbaz , farah kassabri , Sagiv Ozeri , Yuri Nudelman Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 2, 2022 at 9:50 AM Oded Gabbay wrote: > > On Tue, Feb 1, 2022 at 7:25 PM Jordy Zomer wrote: > > > > It appears like nr could be a Spectre v1 gadget as it's supplied by a > > user and used as an array index. Prevent the contents > > of kernel memory from being leaked to userspace via speculative > > execution by using array_index_nospec. > > > > Signed-off-by: Jordy Zomer > > --- > > drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c > > index 3ba3a8ffda3e..c1cdf712a10d 100644 > > --- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c > > +++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c > > @@ -14,6 +14,7 @@ > > #include > > #include > > #include > > +#include > > > > static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = { > > [HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr), > > @@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) > > } > > > > if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) { > > + nr = array_index_nospec(nr, HL_COMMAND_END-1); This needs to be HL_COMMAND_END. The pattern (as described in array_index_nospec comment) is if (index < size) { index = array_index_nospec(index, size); val = array[index]; } When you do -1, it misses the last value which causes that ioctl to get rejected. > > ioctl = &hl_ioctls[nr]; > > } else { > > dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n", > > @@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg) > > } > > > > if (nr == _IOC_NR(HL_IOCTL_INFO)) { > > + nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO)); same here, it should be _IOC_NR(HL_IOCTL_INFO) + 1 Thanks, Oded > > ioctl = &hl_ioctls_control[nr]; > > } else { > > dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n", > > -- > > 2.27.0 > > > > Thanks for the patch. > I'm going to run this through our CI and if nothing breaks I'll merge > it to our -next branch. > > Oded