Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2646378lqo; Tue, 14 May 2024 05:27:09 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUrAuGaJv1cwgYtDYOJ2bNY5taJR5cCd7T+Tswg1iqDm3hWUgTbX/6hLvnzyV8lhhwKQ6+N5vnOKGlJMC1w2l7Ews/qtkBFzYDkhmFNgg== X-Google-Smtp-Source: AGHT+IE/FnsaJJZ8lmSn8YAMh+LWUmlh1Ixwj8YWBSHJ0LcBD1KtDvolreR4ufBkkDlKxvmllNMa X-Received: by 2002:a17:902:f60a:b0:1e7:b6b5:1f05 with SMTP id d9443c01a7336-1ef43d1b00fmr143590555ad.18.1715689628465; Tue, 14 May 2024 05:27:08 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715689628; cv=pass; d=google.com; s=arc-20160816; b=jgsXAEIGrE9GUp9pK5ZoNLBs3BkwbjpyQ7zSzg6LRx0Gdn3Ka75w6pbEQ74ns1viDO SM1hfIFVrP1gOpV0gD8KtnD3apDDFCzwgfgCeGAsRQsCQbJPy6craKCYN2Eu6QQvW+4L VchFoVBbmTQnMXqu7OSkdMg8JeyO5/No55HNHQJAhB7n/IZIVf+hRWFHSwClXGuwPCP5 PXSlfVW57RIbPnr2QMjNo7ib6tF1ewHDq31rQV7ZvJl2yPWSOOSO0YKtEUebI48bmfaS ZgAq8YbZIsApmVQg0Xn5uX7YDW/qmXkkxz4nonirIKB/dYgKkIc91rEDFjrqCjQtcykI nIYw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=jZ0aIN73vHSEd/w0f15GiiFOLZHUFBfpeWf82hZw6m8=; fh=C0jU5nYf0STG1gqGsUDcYXy/+eLpOdgLBVy7JaqXW+k=; b=Yu5QMWhGaW8MX1ijYAXcaY/ExtwGIFe10HfPNOgcAHcqlg6uOALHqcTCEjDw3FYiAB y249bKlF7S8WDy51x00Wlx1VotGsNfwCACzKg5LSS0ZFeRLpH0Fc8ixQOKv7SscVq5ra NRpZi3kAzyucvj+YS/E3aJ61nwanGEUDUnKZgaFXk6BvpCcaYcvWcZuE5TAuoekcGtuR YgXp03hd8ZORH2VQxyMhi1JhVU9azyaA8bNPxZpxgiH98JOF4R4w0QZ+CbdDNe+eWaVL uVzFL4jCFkWMbVceLEcL1+uOPNzReV+Cvf5WBwHq6InkzxEJ+yxAqwaYpfvJEz3U9Us7 ULxw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=TB1hUabf; arc=pass (i=1 spf=pass spfdomain=amazon.com dkim=pass dkdomain=amazon.com dmarc=pass fromdomain=amazon.com); spf=pass (google.com: domain of linux-kernel+bounces-178658-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178658-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id d9443c01a7336-1ef0c15f531si110321745ad.542.2024.05.14.05.27.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 05:27:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-178658-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=TB1hUabf; arc=pass (i=1 spf=pass spfdomain=amazon.com dkim=pass dkdomain=amazon.com dmarc=pass fromdomain=amazon.com); spf=pass (google.com: domain of linux-kernel+bounces-178658-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-178658-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id A7550B215C3 for ; Tue, 14 May 2024 12:27:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0C3FA4F602; Tue, 14 May 2024 12:26:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b="TB1hUabf" Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE675225A8; Tue, 14 May 2024 12:26:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=72.21.196.25 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715689617; cv=none; b=f5s9VATRDI2eZSaBG0Ar27xXXH/PcFFsHTttLGyd83VgcrbX/Eefg1jHF8qmXVytHnFIC2RC0uc7Sf828kPF4LlxNOU+sKX8rRwaHpQAWoO2WO3ovU70wtIY931kXD5nopM/wBbtHJXFRWjbIAptQHW7OMny/f2UgGs8Ya0KCog= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715689617; c=relaxed/simple; bh=xU1lG+LaTVYlDzKuYpkmb+8guhxZCCniE7IDWhABdcc=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=LUzwBjwEhnMcMVBw4CGKKei/ZLXBq/rk4potqs1YKTip6LAT9NbyrIXapOkkNzqQ5gGauj0dzd/F6kdcV0E6eAlxNRLOQMZgL22EaOUxqYeHRpyXMAJb+YJsMmE7pSWVyGnW7FJHMsyhS3EgQTUxQoUUTzUwH9E6zyzdbQuRQq0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.com; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b=TB1hUabf; arc=none smtp.client-ip=72.21.196.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1715689616; x=1747225616; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=jZ0aIN73vHSEd/w0f15GiiFOLZHUFBfpeWf82hZw6m8=; b=TB1hUabfEMQWWWkY7MDUZt6vuCG9lhBXMqXoImr/Z60/35aBT1/Fur/6 kqrMQEFAv2gpbK0U30Eu5oAAHNC9uPvDS8d8DUvhFW7LrKYmORofdDBTd wgqIuIEhJWDPY/NKILgkrSmRFtiHzDdr6Jki8oNgWLxQftRC+VNLfW60d w=; X-IronPort-AV: E=Sophos;i="6.08,159,1712620800"; d="scan'208";a="401038834" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-2101.iad2.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 May 2024 12:26:52 +0000 Received: from EX19MTAEUC001.ant.amazon.com [10.0.17.79:16153] by smtpin.naws.eu-west-1.prod.farcaster.email.amazon.dev [10.0.23.178:2525] with esmtp (Farcaster) id d2bd624b-9d24-4d18-9f3a-ab99477b65da; Tue, 14 May 2024 12:26:51 +0000 (UTC) X-Farcaster-Flow-ID: d2bd624b-9d24-4d18-9f3a-ab99477b65da Received: from EX19D002EUC003.ant.amazon.com (10.252.51.218) by EX19MTAEUC001.ant.amazon.com (10.252.51.193) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 14 May 2024 12:26:50 +0000 Received: from EX19MTAUWB001.ant.amazon.com (10.250.64.248) by EX19D002EUC003.ant.amazon.com (10.252.51.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 14 May 2024 12:26:49 +0000 Received: from dev-dsk-hagarhem-1b-b868d8d5.eu-west-1.amazon.com (10.253.65.58) by mail-relay.amazon.com (10.250.64.254) with Microsoft SMTP Server id 15.2.1258.28 via Frontend Transport; Tue, 14 May 2024 12:26:49 +0000 Received: by dev-dsk-hagarhem-1b-b868d8d5.eu-west-1.amazon.com (Postfix, from userid 23002382) id BBB5620AC2; Tue, 14 May 2024 12:26:48 +0000 (UTC) From: Hagar Hemdan To: CC: Norbert Manthey , Hagar Hemdan , Bartosz Golaszewski , Kent Gibson , Linus Walleij , , Subject: [PATCH] gpio: prevent potential speculation leaks in gpio_device_get_desc() Date: Tue, 14 May 2024 12:26:01 +0000 Message-ID: <20240514122601.15261-1-hagarhem@amazon.com> X-Mailer: git-send-email 2.40.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Users can call the gpio_ioctl() interface to get information about gpio chip lines. Lines on the chip are identified by an offset in the range of [0,chip.lines). Offset is copied from user and then used as an array index to get the gpio descriptor without sanitization. This change ensures that the offset is sanitized by using "array_index_nospec" to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL") Signed-off-by: Hagar Hemdan --- Only compile tested, no access to HW. --- drivers/gpio/gpiolib-cdev.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index 9dad67ea2597..215c03e6808f 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -2170,7 +2171,8 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) lflags = eventreq.handleflags; eflags = eventreq.eventflags; - desc = gpio_device_get_desc(gdev, offset); + desc = gpio_device_get_desc(gdev, + array_index_nospec(offset, gdev->ngpio)); if (IS_ERR(desc)) return PTR_ERR(desc); @@ -2477,7 +2479,8 @@ static int lineinfo_get_v1(struct gpio_chardev_data *cdev, void __user *ip, return -EFAULT; /* this doubles as a range check on line_offset */ - desc = gpio_device_get_desc(cdev->gdev, lineinfo.line_offset); + desc = gpio_device_get_desc(cdev->gdev, + array_index_nospec(lineinfo.line_offset, cdev->gdev->ngpio)); if (IS_ERR(desc)) return PTR_ERR(desc); @@ -2514,7 +2517,8 @@ static int lineinfo_get(struct gpio_chardev_data *cdev, void __user *ip, if (memchr_inv(lineinfo.padding, 0, sizeof(lineinfo.padding))) return -EINVAL; - desc = gpio_device_get_desc(cdev->gdev, lineinfo.offset); + desc = gpio_device_get_desc(cdev->gdev, + array_index_nospec(lineinfo.offset, cdev->gdev->ngpio)); if (IS_ERR(desc)) return PTR_ERR(desc); -- 2.40.1