From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: usbip: vhci_sysfs: fix potential Spectre v1 From: Greg Kroah-Hartman Message-Id: <20180517065117.GA12910@kroah.com> Date: Thu, 17 May 2018 08:51:17 +0200 To: "Gustavo A. R. Silva" Cc: Valentina Manea , Shuah Khan , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org List-ID: T24gV2VkLCBNYXkgMTYsIDIwMTggYXQgMDU6MjI6MDBQTSAtMDUwMCwgR3VzdGF2byBBLiBSLiBT aWx2YSB3cm90ZToKPiBwZGV2X25yIGFuZCByaHBvcnQgY2FuIGJlIGNvbnRyb2xsZWQgYnkgdXNl ci1zcGFjZSwgaGVuY2UgbGVhZGluZyB0bwo+IGEgcG90ZW50aWFsIGV4cGxvaXRhdGlvbiBvZiB0 aGUgU3BlY3RyZSB2YXJpYW50IDEgdnVsbmVyYWJpbGl0eS4KPiAKPiBUaGlzIGlzc3VlIHdhcyBk ZXRlY3RlZCB3aXRoIHRoZSBoZWxwIG9mIFNtYXRjaDoKPiBkcml2ZXJzL3VzYi91c2JpcC92aGNp X3N5c2ZzLmM6MjM4IGRldGFjaF9zdG9yZSgpIHdhcm46IHBvdGVudGlhbAo+IHNwZWN0cmUgaXNz dWUgJ3ZoY2lzJwo+IGRyaXZlcnMvdXNiL3VzYmlwL3ZoY2lfc3lzZnMuYzozMjggYXR0YWNoX3N0 b3JlKCkgd2FybjogcG90ZW50aWFsCj4gc3BlY3RyZSBpc3N1ZSAndmhjaXMnCj4gZHJpdmVycy91 c2IvdXNiaXAvdmhjaV9zeXNmcy5jOjMzOCBhdHRhY2hfc3RvcmUoKSB3YXJuOiBwb3RlbnRpYWwK PiBzcGVjdHJlIGlzc3VlICd2aGNpLT52aGNpX2hjZF9zcy0+dmRldicKPiBkcml2ZXJzL3VzYi91 c2JpcC92aGNpX3N5c2ZzLmM6MzQwIGF0dGFjaF9zdG9yZSgpIHdhcm46IHBvdGVudGlhbAo+IHNw ZWN0cmUgaXNzdWUgJ3ZoY2ktPnZoY2lfaGNkX2hzLT52ZGV2JwoKTml0LCBubyBuZWVkIHRvIGxp bmUtd3JhcCBsb25nIGVycm9yIG1lc3NhZ2VzIGZyb20gdG9vbHMgOikKCj4gRml4IHRoaXMgYnkg c2FuaXRpemluZyBwZGV2X25yIGFuZCByaHBvcnQgYmVmb3JlIHVzaW5nIHRoZW0gdG8gaW5kZXgK PiB2aGNpcyBhbmQgdmhjaS0+dmhjaV9oY2Rfc3MtPnZkZXYgcmVzcGVjdGl2ZWx5Lgo+IAo+IE5v dGljZSB0aGF0IGdpdmVuIHRoYXQgc3BlY3VsYXRpb24gd2luZG93cyBhcmUgbGFyZ2UsIHRoZSBw b2xpY3kgaXMKPiB0byBraWxsIHRoZSBzcGVjdWxhdGlvbiBvbiB0aGUgZmlyc3QgbG9hZCBhbmQg bm90IHdvcnJ5IGlmIGl0IGNhbiBiZQo+IGNvbXBsZXRlZCB3aXRoIGEgZGVwZW5kZW50IGxvYWQv c3RvcmUgWzFdLgo+IAo+IFsxXSBodHRwczovL21hcmMuaW5mby8/bD1saW51eC1rZXJuZWwmbT0x NTI0NDkxMzExMTQ3Nzgmdz0yCj4gCj4gQ2M6IHN0YWJsZUB2Z2VyLmtlcm5lbC5vcmcKPiBTaWdu ZWQtb2ZmLWJ5OiBHdXN0YXZvIEEuIFIuIFNpbHZhIDxndXN0YXZvQGVtYmVkZGVkb3IuY29tPgo+ IC0tLQo+ICBkcml2ZXJzL3VzYi91c2JpcC92aGNpX3N5c2ZzLmMgfCA2ICsrKysrKwo+ICAxIGZp bGUgY2hhbmdlZCwgNiBpbnNlcnRpb25zKCspCj4gCj4gZGlmZiAtLWdpdCBhL2RyaXZlcnMvdXNi L3VzYmlwL3ZoY2lfc3lzZnMuYyBiL2RyaXZlcnMvdXNiL3VzYmlwL3ZoY2lfc3lzZnMuYwo+IGlu ZGV4IDQ4ODA4MzguLjkwNDU4ODggMTAwNjQ0Cj4gLS0tIGEvZHJpdmVycy91c2IvdXNiaXAvdmhj aV9zeXNmcy5jCj4gKysrIGIvZHJpdmVycy91c2IvdXNiaXAvdmhjaV9zeXNmcy5jCj4gQEAgLTEw LDYgKzEwLDggQEAKPiAgI2luY2x1ZGUgPGxpbnV4L3BsYXRmb3JtX2RldmljZS5oPgo+ICAjaW5j bHVkZSA8bGludXgvc2xhYi5oPgo+ICAKPiArI2luY2x1ZGUgPGxpbnV4L25vc3BlYy5oPgo+ICsK PiAgI2luY2x1ZGUgInVzYmlwX2NvbW1vbi5oIgo+ICAjaW5jbHVkZSAidmhjaS5oIgo+ICAKPiBA QCAtMjM1LDYgKzIzNyw4IEBAIHN0YXRpYyBzc2l6ZV90IGRldGFjaF9zdG9yZShzdHJ1Y3QgZGV2 aWNlICpkZXYsIHN0cnVjdCBkZXZpY2VfYXR0cmlidXRlICphdHRyLAo+ICAJaWYgKCF2YWxpZF9w b3J0KHBkZXZfbnIsIHJocG9ydCkpCj4gIAkJcmV0dXJuIC1FSU5WQUw7Cj4gIAo+ICsJcGRldl9u ciA9IGFycmF5X2luZGV4X25vc3BlYyhwZGV2X25yLCB2aGNpX251bV9jb250cm9sbGVycyk7Cj4g KwlyaHBvcnQgPSBhcnJheV9pbmRleF9ub3NwZWMocmhwb3J0LCBWSENJX0hDX1BPUlRTKTsKClNo b3VsZG4ndCB3ZSBqdXN0IGRvIHRoaXMgaW4gb25lIHBsYWNlLCBpbiB0aGUgdmFsaWRfcG9ydCgp IGZ1bmN0aW9uPwoKVGhhdCB3YXkgaXQga2VlcHMgdGhlIHJhbmdlIGNoZWNraW5nIGxvZ2ljIGlu IG9uZSBwbGFjZSAobm93IGl0IGlzIGluIDMKcGxhY2VzIGluIHRoZSBmdW5jdGlvbiksIHdoaWNo IHNob3VsZCBtYWtlIG1haW50ZW5hbmNlIG11Y2ggc2ltcGxlci4KCnRoYW5rcywKCmdyZWcgay1o Ci0tLQpUbyB1bnN1YnNjcmliZSBmcm9tIHRoaXMgbGlzdDogc2VuZCB0aGUgbGluZSAidW5zdWJz Y3JpYmUgbGludXgtdXNiIiBpbgp0aGUgYm9keSBvZiBhIG1lc3NhZ2UgdG8gbWFqb3Jkb21vQHZn ZXIua2VybmVsLm9yZwpNb3JlIG1ham9yZG9tbyBpbmZvIGF0ICBodHRwOi8vdmdlci5rZXJuZWwu b3JnL21ham9yZG9tby1pbmZvLmh0bWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Thu, 17 May 2018 08:51:17 +0200 From: Greg Kroah-Hartman To: "Gustavo A. R. Silva" Cc: Valentina Manea , Shuah Khan , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] usbip: vhci_sysfs: fix potential Spectre v1 Message-ID: <20180517065117.GA12910@kroah.com> References: <20180516222200.GA14733@embeddedor.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180516222200.GA14733@embeddedor.com> User-Agent: Mutt/1.9.5 (2018-04-13) X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On Wed, May 16, 2018 at 05:22:00PM -0500, Gustavo A. R. Silva wrote: > pdev_nr and rhport can be controlled by user-space, hence leading to > a potential exploitation of the Spectre variant 1 vulnerability. > > This issue was detected with the help of Smatch: > drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential > spectre issue 'vhcis' > drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential > spectre issue 'vhcis' > drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential > spectre issue 'vhci->vhci_hcd_ss->vdev' > drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential > spectre issue 'vhci->vhci_hcd_hs->vdev' Nit, no need to line-wrap long error messages from tools :) > Fix this by sanitizing pdev_nr and rhport before using them to index > vhcis and vhci->vhci_hcd_ss->vdev respectively. > > Notice that given that speculation windows are large, the policy is > to kill the speculation on the first load and not worry if it can be > completed with a dependent load/store [1]. > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > Cc: stable@vger.kernel.org > Signed-off-by: Gustavo A. R. Silva > --- > drivers/usb/usbip/vhci_sysfs.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c > index 4880838..9045888 100644 > --- a/drivers/usb/usbip/vhci_sysfs.c > +++ b/drivers/usb/usbip/vhci_sysfs.c > @@ -10,6 +10,8 @@ > #include > #include > > +#include > + > #include "usbip_common.h" > #include "vhci.h" > > @@ -235,6 +237,8 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr, > if (!valid_port(pdev_nr, rhport)) > return -EINVAL; > > + pdev_nr = array_index_nospec(pdev_nr, vhci_num_controllers); > + rhport = array_index_nospec(rhport, VHCI_HC_PORTS); Shouldn't we just do this in one place, in the valid_port() function? That way it keeps the range checking logic in one place (now it is in 3 places in the function), which should make maintenance much simpler. thanks, greg k-h