Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2281110pxb; Thu, 3 Feb 2022 03:24:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJyltVOYDQEocdpLbB+y+T2oVPrhVhBXf5nqYkAWX+SC1xvRPxLG3Y1NrzxfV6oYGay8ynAU X-Received: by 2002:a17:90b:1983:: with SMTP id mv3mr13355132pjb.222.1643887440263; Thu, 03 Feb 2022 03:24:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643887440; cv=none; d=google.com; s=arc-20160816; b=TOA5mfoXbIGIDV0tfCGXB5ue4yTjthrm53iR0EbhBsSLk49B5/lW2QIURG0+KvItOL UicGD3lsFGegX/TSGi/JTXi+48M/cuT/irjl0azdjjr4fGA6DYSaoML7eZBUoup0hgfs McvDJ+7t1xSQ0s1ynvDd/2q+OaIZ8VWOibr+IsYKuIYabKwfP4JKccXEwXLnrhK+ZukH Mj10nRnL6pU7te66cJUJyQQA53RP2RegwwbGGFbnKAwM+pZh/laAjZSOLr1J/JhV+gct 62KGFO0Q6yp/UXPjZp8gx9pYdZawlJAo3fM5CM/I4Ell1B/2vwTjEhf8ZDZtb/hP8Ufa uwjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=RqA7wtR+xniqKtz07ER1b5CSE77dMQuwwyJg4I6t+pU=; b=FdYRI8a1DQUb0gmBCpr3REXZWu/v/Sfv+3oYf3iOWblUjPAVD7UJYNiWvqmkjeXo8S 583Ck9XWwNN8bb2btxquD1i/rGlj7Hyju1Xkk+9IC+gFAH2zpl6fKiLd6T5MesTAqetV E0ltfmYvstc5SI5nvhOrrN1Cz0c+EJvoN6/pmxiYKffKhWJltoItvlf+9AUNEvjZObaa eiekDEhKJ3ehiLXS0DBpjlgH1zD81P/c7M4W9IhNEnY5Wt7x6jbGtkp23RNMSUzQyN1z SY2cx28LObFMPNpfu2WigpjcshwMvoBtwNc0U2uQbPMoyavmwkWswjlVfOCukMgtfsNf ZE2g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x22si21231868pll.382.2022.02.03.03.23.46; Thu, 03 Feb 2022 03:24:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346892AbiBBTNw convert rfc822-to-8bit (ORCPT + 99 others); Wed, 2 Feb 2022 14:13:52 -0500 Received: from mta-06-3.privateemail.com ([198.54.127.59]:54211 "EHLO MTA-06-3.privateemail.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230442AbiBBTNv (ORCPT ); Wed, 2 Feb 2022 14:13:51 -0500 Received: from mta-06.privateemail.com (localhost [127.0.0.1]) by mta-06.privateemail.com (Postfix) with ESMTP id C211018000BB; Wed, 2 Feb 2022 14:13:50 -0500 (EST) Received: from smtpclient.apple (unknown [10.20.151.192]) by mta-06.privateemail.com (Postfix) with ESMTPA id C3FB318000B3; Wed, 2 Feb 2022 14:13:48 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\)) Subject: Re: [PATCHv3] habanalabs: fix potential spectre v1 gadgets From: Jordy Zomer In-Reply-To: <20220202191104.3526448-1-jordy@pwning.systems> Date: Wed, 2 Feb 2022 20:13:46 +0100 Cc: Oded Gabbay , Arnd Bergmann , Greg Kroah-Hartman , Ofir Bitton , Dani Liberman , Yuri Nudelman , Sagiv Ozeri , Koby Elbaz , farah kassabri Content-Transfer-Encoding: 8BIT Message-Id: References: <20220202191104.3526448-1-jordy@pwning.systems> To: linux-kernel@vger.kernel.org X-Mailer: Apple Mail (2.3693.60.0.1.1) X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Sorry! Removed the message and hope the line-wrapping is correct now :) > On 2 Feb 2022, at 20:11, Jordy Zomer wrote: > > It appears like nr could be a Spectre v1 gadget as it's supplied by a > user and used as an array index. Prevent the contents of kernel memory > being leaked to userspace via speculative execution by using > array_index_nospec. > > Signed-off-by: Jordy Zomer > > --- > Changes v1 -> v2: Added the correct offsets > Changes v2 -> v3: Fixed line-wrapping > --- > drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c > index 3ba3a8ffda3e..c1cdf712a10d 100644 > --- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c > +++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c > @@ -14,6 +14,7 @@ > #include > #include > #include > +#include > > static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = { > [HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr), > @@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) > } > > if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) { > + nr = array_index_nospec(nr, HL_COMMAND_END); > ioctl = &hl_ioctls[nr]; > } else { > dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n", > @@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg) > } > > if (nr == _IOC_NR(HL_IOCTL_INFO)) { > + nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO)+1); > ioctl = &hl_ioctls_control[nr]; > } else { > dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n", > -- > 2.27.0 >