Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp242412pxb;
        Mon, 7 Feb 2022 10:11:52 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzima5UYauXQNG8a5v6GIG1fC6n8OEmvM4OzWtAL+JKE1tePKIKnJ3Ga6bZUoXWNzy64AYo
X-Received: by 2002:a63:748:: with SMTP id 69mr497162pgh.166.1644257511991;
        Mon, 07 Feb 2022 10:11:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1644257511; cv=none;
        d=google.com; s=arc-20160816;
        b=ip+PD8fMWoHqrbqESf+L3AABKEBrelUiUKbbpaoRBdsy3248obZGSAyGf/bQKC3G7f
         4ku3CGPP+EGjY1kvPJHzKZ9uFP0owETT+Zacna6FDQAizDKZz3X8Z5lksC5IQklHh4Yg
         1gfvmgERGaRnAUyltnQL1OQjUNiXGdmScuZpAn+2dJl9R5Zz4ZRdr8R1OW35J80uHanQ
         xPTnXscB8nOBG/TFCkx+vv3cUSRdSpKLbTcqhQhyHtFaKVq2R3ysIGvkeKaTp/VxZ0Yf
         6gJs+vVQymaT5vn1eH8+vPrnIYR5J3znOFBgZfPjnmGDiOreGYViDMfVGhElBS+sd7fo
         u/Cg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=2nyoVvQTCgAVnf+aHnf40jgGJsst9phZGxfIX5TN6f0=;
        b=n+lZG8rqrqfEalps9wd/b44q9snI769EmMxkObUHdYelJW/JmyExh+VmABLWP3mvAN
         Rf/vuF1TFXNrQyNgjansEtLZrNWTfQC6PjoIfTUAFtRMU/3QpWQe0+WbmKKyQ8ITEv8W
         m9mkXrk7Me98YWpsmpWQhu76uUqFp8AM9ob92nrJbYvE4QM6SBCBi/j3Bt6uZIvCO6ZY
         k2BQ0dMdAnYjpp+GD866qBVS/imbarh57BoC0YDsBvGbthnfXt1cziVg+m8egWhzCIif
         AO3ZrIYeBMYLHnGKWVxg/uxYBXWa+Omnh/ymN0xkN/YKKEJ+pAe6KvYlELdEnlWCADue
         l5bg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id u70si11168253pgd.554.2022.02.07.10.11.39;
        Mon, 07 Feb 2022 10:11:51 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1346875AbiBBTLS (ORCPT <rfc822;xiejw.io@gmail.com> + 99 others);
        Wed, 2 Feb 2022 14:11:18 -0500
Received: from mta-10-3.privateemail.com ([198.54.127.62]:38527 "EHLO
        MTA-10-3.privateemail.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230380AbiBBTLQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Feb 2022 14:11:16 -0500
Received: from mta-10.privateemail.com (localhost [127.0.0.1])
        by mta-10.privateemail.com (Postfix) with ESMTP id 4A9FD18000AB;
        Wed,  2 Feb 2022 14:11:16 -0500 (EST)
Received: from localhost.localdomain (unknown [10.20.151.143])
        by mta-10.privateemail.com (Postfix) with ESMTPA id AFE8F18000A9;
        Wed,  2 Feb 2022 14:11:13 -0500 (EST)
From:   Jordy Zomer <jordy@pwning.systems>
To:     linux-kernel@vger.kernel.org
Cc:     Jordy Zomer <jordy@pwning.systems>,
        Oded Gabbay <ogabbay@kernel.org>,
        Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Ofir Bitton <obitton@habana.ai>,
        Dani Liberman <dliberman@habana.ai>,
        Yuri Nudelman <ynudelman@habana.ai>,
        Sagiv Ozeri <sozeri@habana.ai>, Koby Elbaz <kelbaz@habana.ai>,
        farah kassabri <fkassabri@habana.ai>
Subject: [PATCHv3] habanalabs: fix potential spectre v1 gadgets
Date:   Wed,  2 Feb 2022 20:11:00 +0100
Message-Id: <20220202191104.3526448-1-jordy@pwning.systems>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <YfrVOylHQYqjiWJ5@kroah.com>
References: <YfrVOylHQYqjiWJ5@kroah.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

It appears like nr could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents of kernel memory
being leaked  to userspace via speculative execution by using
array_index_nospec.

Signed-off-by: Jordy Zomer <jordy@pwning.systems>

---
Changes v1 -> v2: Added the correct offsets
Changes v2 -> v3: Fixed line-wrapping
---
 drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
index 3ba3a8ffda3e..c1cdf712a10d 100644
--- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
+++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
@@ -14,6 +14,7 @@
 #include <linux/fs.h>
 #include <linux/uaccess.h>
 #include <linux/slab.h>
+#include <linux/nospec.h>
 
 static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = {
 	[HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr),
@@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
 	}
 
 	if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
+		nr = array_index_nospec(nr, HL_COMMAND_END);
 		ioctl = &hl_ioctls[nr];
 	} else {
 		dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
@@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
 	}
 
 	if (nr == _IOC_NR(HL_IOCTL_INFO)) {
+		nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO)+1);
 		ioctl = &hl_ioctls_control[nr];
 	} else {
 		dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
-- 
2.27.0