From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [v2] usbip: vhci_sysfs: fix potential Spectre v1 From: Greg Kroah-Hartman Message-Id: <20180519070407.GA2943@kroah.com> Date: Sat, 19 May 2018 09:04:07 +0200 To: "Gustavo A. R. Silva" Cc: Shuah Khan , Valentina Manea , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org List-ID: T24gRnJpLCBNYXkgMTgsIDIwMTggYXQgMDU6Mjc6MjJQTSAtMDUwMCwgR3VzdGF2byBBLiBSLiBT aWx2YSB3cm90ZToKPiAKPiAKPiBPbiAwNS8xOC8yMDE4IDExOjA2IEFNLCBTaHVhaCBLaGFuIHdy b3RlOgo+ID4gT24gMDUvMTgvMjAxOCAwNzo0NyBBTSwgR3JlZyBLcm9haC1IYXJ0bWFuIHdyb3Rl Ogo+ID4gPiBPbiBUaHUsIE1heSAxNywgMjAxOCBhdCAwMzoxNjoyOFBNIC0wNTAwLCBHdXN0YXZv IEEuIFIuIFNpbHZhIHdyb3RlOgo+ID4gPiA+IHBkZXZfbnIgYW5kIHJocG9ydCBjYW4gYmUgY29u dHJvbGxlZCBieSB1c2VyLXNwYWNlLCBoZW5jZSBsZWFkaW5nIHRvCj4gPiA+ID4gYSBwb3RlbnRp YWwgZXhwbG9pdGF0aW9uIG9mIHRoZSBTcGVjdHJlIHZhcmlhbnQgMSB2dWxuZXJhYmlsaXR5Lgo+ ID4gPiA+IAo+ID4gPiA+IFRoaXMgaXNzdWUgd2FzIGRldGVjdGVkIHdpdGggdGhlIGhlbHAgb2Yg U21hdGNoOgo+ID4gPiA+IGRyaXZlcnMvdXNiL3VzYmlwL3ZoY2lfc3lzZnMuYzoyMzggZGV0YWNo X3N0b3JlKCkgd2FybjogcG90ZW50aWFsIHNwZWN0cmUgaXNzdWUgJ3ZoY2lzJwo+ID4gPiA+IGRy aXZlcnMvdXNiL3VzYmlwL3ZoY2lfc3lzZnMuYzozMjggYXR0YWNoX3N0b3JlKCkgd2FybjogcG90 ZW50aWFsIHNwZWN0cmUgaXNzdWUgJ3ZoY2lzJwo+ID4gPiA+IGRyaXZlcnMvdXNiL3VzYmlwL3Zo Y2lfc3lzZnMuYzozMzggYXR0YWNoX3N0b3JlKCkgd2FybjogcG90ZW50aWFsIHNwZWN0cmUgaXNz dWUgJ3ZoY2ktPnZoY2lfaGNkX3NzLT52ZGV2Jwo+ID4gPiA+IGRyaXZlcnMvdXNiL3VzYmlwL3Zo Y2lfc3lzZnMuYzozNDAgYXR0YWNoX3N0b3JlKCkgd2FybjogcG90ZW50aWFsIHNwZWN0cmUgaXNz dWUgJ3ZoY2ktPnZoY2lfaGNkX2hzLT52ZGV2Jwo+ID4gPiA+IAo+ID4gPiA+IEZpeCB0aGlzIGJ5 IHNhbml0aXppbmcgcGRldl9uciBhbmQgcmhwb3J0IGJlZm9yZSB1c2luZyB0aGVtIHRvIGluZGV4 Cj4gPiA+ID4gdmhjaXMgYW5kIHZoY2ktPnZoY2lfaGNkX3NzLT52ZGV2IHJlc3BlY3RpdmVseS4K PiA+ID4gPiAKPiA+ID4gPiBOb3RpY2UgdGhhdCBnaXZlbiB0aGF0IHNwZWN1bGF0aW9uIHdpbmRv d3MgYXJlIGxhcmdlLCB0aGUgcG9saWN5IGlzCj4gPiA+ID4gdG8ga2lsbCB0aGUgc3BlY3VsYXRp b24gb24gdGhlIGZpcnN0IGxvYWQgYW5kIG5vdCB3b3JyeSBpZiBpdCBjYW4gYmUKPiA+ID4gPiBj b21wbGV0ZWQgd2l0aCBhIGRlcGVuZGVudCBsb2FkL3N0b3JlIFsxXS4KPiA+ID4gPiAKPiA+ID4g PiBbMV0gaHR0cHM6Ly9tYXJjLmluZm8vP2w9bGludXgta2VybmVsJm09MTUyNDQ5MTMxMTE0Nzc4 Jnc9Mgo+ID4gPiA+IAo+ID4gPiA+IENjOiBzdGFibGVAdmdlci5rZXJuZWwub3JnCj4gPiA+ID4g U2lnbmVkLW9mZi1ieTogR3VzdGF2byBBLiBSLiBTaWx2YSA8Z3VzdGF2b0BlbWJlZGRlZG9yLmNv bT4KPiA+ID4gPiAtLS0KPiA+ID4gPiBDaGFuZ2VzIGluIHYyOgo+ID4gPiA+ICAgLSBQbGFjZSB0 aGUgYmFycmllcnMgaW50byB2YWxpZF9wb3J0Lgo+ID4gYXR0YWNoX3N0b3JlKCkgZG9lc24ndCBj YWxsIHZhbGlkX3BvcnQoKSAtIGNhbiB5b3UgbWFrZSB0aGUgY2hhbmdlIHRvCj4gPiBoYXZlIGF0 dGFjaF9zdG9yZSgpIGNhbGwgdmFsaWRfcG9ydCgpIHRvIHByb3RlY3QgdGhhdCBjb2RlIHBhdGgu Cj4gPiAKPiA+ID4gCj4gPiA+IFRoYW5rcyBmb3IgdGhlIGNoYW5nZS4gIEknbGwgd2FpdCBmb3Ig U2h1YWgncyBhY2svcmV2aWV3IGJlZm9yZSBxdWV1ZWluZwo+ID4gPiB0aGlzIHVwIGp1c3QgYXMg c2hlIGtub3dzIHRoYXQgY29kZWJhc2UgbXVjaCBiZXR0ZXIgdGhhbiBhbnlvbmUgZWxzZS4KPiA+ ID4gPiAKPiA+IAo+IAo+IEdyZWcsCj4gCj4gSSd2ZSBiZWVuIHRhbGtpbmcgd2l0aCBEYW4gV2ls bGlhbXMgKGludGVsKSBhYm91dCB0aGlzIGtpbmQgb2YgaXNzdWVzIFsxXQo+IGFuZCBpdCBzZWVt cyBteSBvcmlnaW5hbCBhc3N1bXB0aW9ucyBhcmUgY29ycmVjdC4gSGVuY2UsIHRoaXMgcGF0Y2gg aXMgbm90Cj4gdXNlZnVsIGFuZCwgaW4gb3JkZXIgdG8gYWN0dWFsbHkgcHJldmVudCBzcGVjdWxh dGlvbiBoZXJlIHdlIHdvdWxkIG5lZWQgdG8KPiBwYXNzIHRoZSBhZGRyZXNzIG9mIHBkZXZfbnIg YW5kIHJocG9ydCBpbnRvIHZhbGlkX3BvcnQsIG90aGVyd2lzZSB0aGVyZSBtYXkKPiBiZSBzcGVj dWxhdGlvbiBhdCBkcml2ZXJzL3VzYi91c2JpcC92aGNpX3N5c2ZzLmM6MjM1Ogo+IAo+ICAgICAg ICAgaWYgKCF2YWxpZF9wb3J0KHBkZXZfbnIsIHJocG9ydCkpCj4gICAgICAgICAgICAgICAgIHJl dHVybiAtRUlOVkFMOwo+IAo+ICAgICAgICAgaGNkID0gcGxhdGZvcm1fZ2V0X2RydmRhdGEodmhj aXNbcGRldl9ucl0ucGRldik7CgpBaCwgeWVzLCBzb3JyeSwgeW91IGRvIG5lZWQgdG8gcGFzcyB0 aGUgYWRkcmVzcyB0aHJvdWdoLCBteSBtaXN0YWtlCmNvbXBsZXRlbHkuICBCdXQgdGhlIGxvY2F0 aW9uIGZvciB0aGUgY2hlY2tpbmcgaXMgc3RpbGwgdGhlIHJpZ2h0IHBsYWNlCnRvIGRvIGl0LCBz byBJIHdhcyBoYWxmLXJpZ2h0IDopCgp0aGFua3MKCmdyZWcgay1oCi0tLQpUbyB1bnN1YnNjcmli ZSBmcm9tIHRoaXMgbGlzdDogc2VuZCB0aGUgbGluZSAidW5zdWJzY3JpYmUgbGludXgtdXNiIiBp bgp0aGUgYm9keSBvZiBhIG1lc3NhZ2UgdG8gbWFqb3Jkb21vQHZnZXIua2VybmVsLm9yZwpNb3Jl IG1ham9yZG9tbyBpbmZvIGF0ICBodHRwOi8vdmdlci5rZXJuZWwub3JnL21ham9yZG9tby1pbmZv Lmh0bWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sat, 19 May 2018 09:04:07 +0200 From: Greg Kroah-Hartman To: "Gustavo A. R. Silva" Cc: Shuah Khan , Valentina Manea , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] usbip: vhci_sysfs: fix potential Spectre v1 Message-ID: <20180519070407.GA2943@kroah.com> References: <20180517201628.GA6090@embeddedor.com> <20180518134701.GA15598@kroah.com> <3a169862-d723-88fb-05d6-f1ec80c8f7ab@embeddedor.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3a169862-d723-88fb-05d6-f1ec80c8f7ab@embeddedor.com> User-Agent: Mutt/1.9.5 (2018-04-13) X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On Fri, May 18, 2018 at 05:27:22PM -0500, Gustavo A. R. Silva wrote: > > > On 05/18/2018 11:06 AM, Shuah Khan wrote: > > On 05/18/2018 07:47 AM, Greg Kroah-Hartman wrote: > > > On Thu, May 17, 2018 at 03:16:28PM -0500, Gustavo A. R. Silva wrote: > > > > pdev_nr and rhport can be controlled by user-space, hence leading to > > > > a potential exploitation of the Spectre variant 1 vulnerability. > > > > > > > > This issue was detected with the help of Smatch: > > > > drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis' > > > > drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis' > > > > drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev' > > > > drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev' > > > > > > > > Fix this by sanitizing pdev_nr and rhport before using them to index > > > > vhcis and vhci->vhci_hcd_ss->vdev respectively. > > > > > > > > Notice that given that speculation windows are large, the policy is > > > > to kill the speculation on the first load and not worry if it can be > > > > completed with a dependent load/store [1]. > > > > > > > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > > > > > > > Cc: stable@vger.kernel.org > > > > Signed-off-by: Gustavo A. R. Silva > > > > --- > > > > Changes in v2: > > > > - Place the barriers into valid_port. > > attach_store() doesn't call valid_port() - can you make the change to > > have attach_store() call valid_port() to protect that code path. > > > > > > > > Thanks for the change. I'll wait for Shuah's ack/review before queueing > > > this up just as she knows that codebase much better than anyone else. > > > > > > > > Greg, > > I've been talking with Dan Williams (intel) about this kind of issues [1] > and it seems my original assumptions are correct. Hence, this patch is not > useful and, in order to actually prevent speculation here we would need to > pass the address of pdev_nr and rhport into valid_port, otherwise there may > be speculation at drivers/usb/usbip/vhci_sysfs.c:235: > > if (!valid_port(pdev_nr, rhport)) > return -EINVAL; > > hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); Ah, yes, sorry, you do need to pass the address through, my mistake completely. But the location for the checking is still the right place to do it, so I was half-right :) thanks greg k-h