Return-path: Received: from mail-lf0-f68.google.com ([209.85.215.68]:46555 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752893AbeAFKB7 (ORCPT ); Sat, 6 Jan 2018 05:01:59 -0500 Received: by mail-lf0-f68.google.com with SMTP id a12so7494839lfe.13 for ; Sat, 06 Jan 2018 02:01:59 -0800 (PST) Subject: Re: [PATCH 09/18] p54: prevent bounds-check bypass via speculative execution To: Dan Williams , linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, peterz@infradead.org, netdev@vger.kernel.org, linux-wireless@vger.kernel.org, Elena Reshetova , gregkh@linuxfoundation.org, Christian Lamparter , tglx@linutronix.de, torvalds@linux-foundation.org, Kalle Valo , alan@linux.intel.com References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520104323.32271.6614158873750932410.stgit@dwillia2-desk3.amr.corp.intel.com> From: Sergei Shtylyov Message-ID: <834cec3e-67a6-3ddb-39a2-76e04ade3cf1@cogentembedded.com> (sfid-20180106_110222_169617_D0BAC32B) Date: Sat, 6 Jan 2018 13:01:57 +0300 MIME-Version: 1.0 In-Reply-To: <151520104323.32271.6614158873750932410.stgit@dwillia2-desk3.amr.corp.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Sender: linux-wireless-owner@vger.kernel.org List-ID: On 1/6/2018 4:10 AM, Dan Williams wrote: > Static analysis reports that 'queue' may be a user controlled value that > is used as a data dependency to read from the 'priv->qos_params' array. > In order to avoid potential leaks of kernel memory values, block > speculative execution of the instruction stream that could issue reads > based on an invalid result of 'priv->qos_params[queue]'. > > Based on an original patch by Elena Reshetova. > > Cc: Christian Lamparter > Cc: Kalle Valo > Cc: linux-wireless@vger.kernel.org > Cc: netdev@vger.kernel.org > Signed-off-by: Elena Reshetova > Signed-off-by: Dan Williams > --- > drivers/net/wireless/intersil/p54/main.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c > index ab6d39e12069..85c9cbee35fc 100644 > --- a/drivers/net/wireless/intersil/p54/main.c > +++ b/drivers/net/wireless/intersil/p54/main.c [...] > @@ -411,12 +412,13 @@ static int p54_conf_tx(struct ieee80211_hw *dev, > const struct ieee80211_tx_queue_params *params) > { > struct p54_common *priv = dev->priv; > + struct p54_edcf_queue_param *p54_q; > int ret; > > mutex_lock(&priv->conf_mutex); > - if (queue < dev->queues) { > - P54_SET_QUEUE(priv->qos_params[queue], params->aifs, > - params->cw_min, params->cw_max, params->txop); > + if ((p54_q = nospec_array_ptr(priv->qos_params, queue, dev->queues))) { Same complaint here... > + P54_SET_QUEUE(p54_q[0], params->aifs, params->cw_min, > + params->cw_max, params->txop); > ret = p54_set_edcf(priv); > } else > ret = -EINVAL; > MBR, Sergei