Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp3701746rdh; Tue, 28 Nov 2023 01:07:36 -0800 (PST) X-Google-Smtp-Source: AGHT+IEH2juMEHWKOAQ3c1hVSDE+LCcoYbGvE5qFmk9iv5hOHhnG+XOX8wHR8aXmJ8x7XOk7Z2QS X-Received: by 2002:a05:6870:3853:b0:1fa:2615:74ca with SMTP id z19-20020a056870385300b001fa261574camr10636651oal.2.1701162455843; Tue, 28 Nov 2023 01:07:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701162455; cv=none; d=google.com; s=arc-20160816; b=r4y4boBmDWKOa0KcL627fmrnTioW4BytrEVsLUFIoxJPIzURhZOMDWprKJP8DDAS9S bCGSmAZXZlSliW6R0fI3PPJtUDukQi5axwTDUCPHnEqPDDWCdYTDxmPM5al8UV90Ou7T cLXMfUzEdh3lmcBpexAr4Ve1zQK0Jf6N25oly/r3XcQ5xYCb7Z3Oi2JPJy78K7/68rEo SXk5yld9E6NKVRmwgSy54spmd9lKGVyBuLLro7xpVsUEAReHyOSKG3cEzTN1j8MIddkX 06l/tg+GHM2jXj8iclyVPK/gw4NQHtNUH23s9GqFCOKEkFcjIKVmTohQU4e+ca4a6Wpz DyrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:content-transfer-encoding:mime-version :message-id:date:subject:cc:from:dkim-signature; bh=Z1TW0Hfw0huACu3MYZumgUWnW7GOEILz6vqy+fXSiuE=; fh=a0vR4ZzA7XkSy7g9qVXi+NbDFBZaAxFrC+DxxBhQ5hE=; b=ruozDP3wvvNlkfxOm4l9epTsLSKgb74Hy3ZpZDMpV0Awz3GVFnV8KwheHwIPi2FKrY GNNISJbokmTdGTO1nu7LyK/mPJbfCy7paHwDzt5N8jwboRVjnjKl/wKvCThb99lbAtRn cFTNIR/7rkjJ7R63ej8J8E/eyhitgCea3/niUTrOpFjrqSv9v+NRAzyhv8X2JDg2gV/b bD1VW3/RPpuFwFkrh2xgmdraZKBsAOg9/gB2u1ceROa1FUSb6SxLS5bovCw0bjF6EWlR 60m1MlChpWHCnBaNJ+Lv9K39A0YToL9vKd7s8sYOK+GJePDavafznMosmM1MRs3CdqxY 2gIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@amazon.com header.s=amazon201209 header.b=ipuF873A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id g12-20020a056a000b8c00b006cd9e5b2d84si2025020pfj.328.2023.11.28.01.07.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 01:07:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=fail header.i=@amazon.com header.s=amazon201209 header.b=ipuF873A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 9295F809B76C; Tue, 28 Nov 2023 01:07:32 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232697AbjK1JHP (ORCPT + 99 others); Tue, 28 Nov 2023 04:07:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43152 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230267AbjK1JHO (ORCPT ); Tue, 28 Nov 2023 04:07:14 -0500 Received: from smtp-fw-9106.amazon.com (smtp-fw-9106.amazon.com [207.171.188.206]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 805511B6; Tue, 28 Nov 2023 01:07:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1701162440; x=1732698440; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=Z1TW0Hfw0huACu3MYZumgUWnW7GOEILz6vqy+fXSiuE=; b=ipuF873A6fjc1Cd9SolAyWqs/vKndQA+9pFXn5cwOQy7CCNw72z6lgmd Gj1aiNUs1E3T+DAjCEf2MWbibN7NcJB4sB+iycEAgSvWw3e0JF1BQd0kE VFmAXNldSPq0HGcivVP/Q02k6j09N2lp+aXMznodrmR1azSegqaZs2ozz Q=; X-IronPort-AV: E=Sophos;i="6.04,233,1695686400"; d="scan'208";a="686862827" Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-iad-1e-m6i4x-a65ebc6e.us-east-1.amazon.com) ([10.25.36.210]) by smtp-border-fw-9106.sea19.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Nov 2023 09:07:14 +0000 Received: from smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev (iad7-ws-svc-p70-lb3-vlan3.iad.amazon.com [10.32.235.38]) by email-inbound-relay-iad-1e-m6i4x-a65ebc6e.us-east-1.amazon.com (Postfix) with ESMTPS id 5414F68209; Tue, 28 Nov 2023 09:07:11 +0000 (UTC) Received: from EX19MTAEUA002.ant.amazon.com [10.0.17.79:58411] by smtpin.naws.eu-west-1.prod.farcaster.email.amazon.dev [10.0.32.35:2525] with esmtp (Farcaster) id 2c7e7e41-2e49-48f3-9887-6580cefdb379; Tue, 28 Nov 2023 09:07:10 +0000 (UTC) X-Farcaster-Flow-ID: 2c7e7e41-2e49-48f3-9887-6580cefdb379 Received: from EX19D008EUA003.ant.amazon.com (10.252.50.155) by EX19MTAEUA002.ant.amazon.com (10.252.50.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.39; Tue, 28 Nov 2023 09:07:09 +0000 Received: from EX19MTAUEC001.ant.amazon.com (10.252.135.222) by EX19D008EUA003.ant.amazon.com (10.252.50.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Tue, 28 Nov 2023 09:07:09 +0000 Received: from dev-dsk-hagarhem-1b-81bb22e5.eu-west-1.amazon.com (172.19.65.226) by mail-relay.amazon.com (10.252.135.200) with Microsoft SMTP Server id 15.2.1118.39 via Frontend Transport; Tue, 28 Nov 2023 09:07:09 +0000 Received: by dev-dsk-hagarhem-1b-81bb22e5.eu-west-1.amazon.com (Postfix, from userid 23002382) id EB76D5BCC; Tue, 28 Nov 2023 09:07:08 +0000 (UTC) From: Hagar Gamal Halim Hemdan CC: Maximilian Heyne , Norbert Manthey , Hagar Gamal Halim Hemdan , , Bryan Tan , Vishnu Dasa , "VMware PV-Drivers Reviewers" , Arnd Bergmann , Greg Kroah-Hartman , Dmitry Torokhov , George Zhang , Andy king , Subject: [PATCH v3] vmci: prevent speculation leaks by sanitizing event in event_deliver() Date: Tue, 28 Nov 2023 09:06:46 +0000 Message-ID: <20231128090647.49863-1-hagarhem@amazon.com> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Spam-Status: No, score=0.5 required=5.0 tests=DKIM_ADSP_ALL,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 28 Nov 2023 01:07:32 -0800 (PST) Coverity spotted that event_msg is controlled by user-space, event_msg->event_data.event is passed to event_deliver() and used as an index without sanitization. This change ensures that the event index is sanitized to mitigate any possibility of speculative information leaks. Fixes: 1d990201f9bb ("VMCI: event handling implementation.") Signed-off-by: Hagar Gamal Halim Hemdan Cc: stable@vger.kernel.org --- v3: added cc stable tag to the commit message as requested by kernel test robot. drivers/misc/vmw_vmci/vmci_event.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/misc/vmw_vmci/vmci_event.c b/drivers/misc/vmw_vmci/vmci_event.c index 5d7ac07623c2..9a41ab65378d 100644 --- a/drivers/misc/vmw_vmci/vmci_event.c +++ b/drivers/misc/vmw_vmci/vmci_event.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -86,9 +87,12 @@ static void event_deliver(struct vmci_event_msg *event_msg) { struct vmci_subscription *cur; struct list_head *subscriber_list; + u32 sanitized_event, max_vmci_event; rcu_read_lock(); - subscriber_list = &subscriber_array[event_msg->event_data.event]; + max_vmci_event = ARRAY_SIZE(subscriber_array); + sanitized_event = array_index_nospec(event_msg->event_data.event, max_vmci_event); + subscriber_list = &subscriber_array[sanitized_event]; list_for_each_entry_rcu(cur, subscriber_list, node) { cur->callback(cur->id, &event_msg->event_data, cur->callback_data); -- 2.40.1