From: Josh Poimboeuf Subject: Re: [PATCH 3/3] ext4: mballoc: Fix spectre gadget in ext4_mb_simple_scan_group Date: Fri, 27 Jul 2018 13:10:22 -0500 Message-ID: <20180727181022.zjz3lwagugitwt5m@treble> References: <20180727162357.30801-1-jcline@redhat.com> <20180727162357.30801-4-jcline@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Cc: Theodore Ts'o , Andreas Dilger , linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org To: Jeremy Cline Return-path: Content-Disposition: inline In-Reply-To: <20180727162357.30801-4-jcline@redhat.com> Sender: stable-owner@vger.kernel.org List-Id: linux-ext4.vger.kernel.org On Fri, Jul 27, 2018 at 04:23:57PM +0000, Jeremy Cline wrote: > 'ac->ac_2order' is a user-controlled value used to index into > 'grp->bb_counters' and based on the value at that index, 'ac->ac_found' > is written to. Clamp the value right after the bounds check to avoid a > speculative out-of-bounds read of 'grp->bb_counters'. > > This also protects the access of the s_mb_offsets and s_mb_maxs arrays > inside mb_find_buddy(). > > These gadgets were discovered with the help of smatch: > > * fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential > spectre issue 'grp->bb_counters' [w] (local cap) > > * fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue > 'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap) > > * fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue > 'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap) > > Cc: Josh Poimboeuf > Cc: stable@vger.kernel.org > Signed-off-by: Jeremy Cline > --- > fs/ext4/mballoc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c > index f7ab34088162..c0866007a949 100644 > --- a/fs/ext4/mballoc.c > +++ b/fs/ext4/mballoc.c > @@ -14,6 +14,7 @@ > #include > #include > #include > +#include > #include > #include > > @@ -1893,6 +1894,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, > > BUG_ON(ac->ac_2order <= 0); > for (i = ac->ac_2order; i <= sb->s_blocksize_bits + 1; i++) { > + i = array_index_nospec(i, sb->s_blocksize_bits + 2); > if (grp->bb_counters[i] == 0) > continue; Similar to my patch 1 comment, it's better to go up the call chain. ac_2order's user taint seems to come from ext4_mb_regular_allocator(), where it's derived from ac->ac_g_ex.fe_len, which has a user taint according to smatch. i = fls(ac->ac_g_ex.fe_len); ac->ac_2order = 0; /* * We search using buddy data only if the order of the request * is greater than equal to the sbi_s_mb_order2_reqs * You can tune it via /sys/fs/ext4//mb_order2_req * We also support searching for power-of-two requests only for * requests upto maximum buddy size we have constructed. */ if (i >= sbi->s_mb_order2_reqs && i <= sb->s_blocksize_bits + 2) { /* * This should tell if fe_len is exactly power of 2 */ if ((ac->ac_g_ex.fe_len & (~(1 << (i - 1)))) == 0) ac->ac_2order = i - 1; } So here maybe you could change the assignment to: ac->ac_2order = array_index_nospec(i - 1, sb->s_blocksize_bits + 2); That makes it easier for a reader of the code to understand what speculation we're protecting against. And it also protects other consumers of this value down the call chain. -- Josh