From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Gustavo A. R. Silva" Subject: [PATCH] HID: hiddev: fix potential Spectre v1 Date: Fri, 29 Jun 2018 17:08:44 -0500 Message-ID: <20180629220844.GA13823@embeddedor.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org To: Jiri Kosina , Benjamin Tissoires Cc: linux-usb@vger.kernel.org, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" List-Id: linux-input@vger.kernel.org uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap) drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap) drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap) drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap) Fix this by sanitizing such structure fields before using them to index report->field, field->usage and hid->collection Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva --- drivers/hid/usbhid/hiddev.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c index e3ce233..23872d0 100644 --- a/drivers/hid/usbhid/hiddev.c +++ b/drivers/hid/usbhid/hiddev.c @@ -36,6 +36,7 @@ #include #include #include +#include #include "usbhid.h" #ifdef CONFIG_USB_DYNAMIC_MINORS @@ -469,10 +470,14 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, if (uref->field_index >= report->maxfield) goto inval; + uref->field_index = array_index_nospec(uref->field_index, + report->maxfield); field = report->field[uref->field_index]; if (uref->usage_index >= field->maxusage) goto inval; + uref->usage_index = array_index_nospec(uref->usage_index, + field->maxusage); uref->usage_code = field->usage[uref->usage_index].hid; @@ -499,6 +504,8 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, if (uref->field_index >= report->maxfield) goto inval; + uref->field_index = array_index_nospec(uref->field_index, + report->maxfield); field = report->field[uref->field_index]; @@ -753,6 +760,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) if (finfo.field_index >= report->maxfield) break; + finfo.field_index = array_index_nospec(finfo.field_index, + report->maxfield); field = report->field[finfo.field_index]; memset(&finfo, 0, sizeof(finfo)); @@ -797,6 +806,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) if (cinfo.index >= hid->maxcollection) break; + cinfo.index = array_index_nospec(cinfo.index, + hid->maxcollection); cinfo.type = hid->collection[cinfo.index].type; cinfo.usage = hid->collection[cinfo.index].usage; -- 2.7.4 From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: HID: hiddev: fix potential Spectre v1 From: "Gustavo A. R. Silva" Message-Id: <20180629220844.GA13823@embeddedor.com> Date: Fri, 29 Jun 2018 17:08:44 -0500 To: Jiri Kosina , Benjamin Tissoires Cc: linux-usb@vger.kernel.org, linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" List-ID: dXJlZi0+ZmllbGRfaW5kZXgsIHVyZWYtPnVzYWdlX2luZGV4LCBmaW5mby5maWVsZF9pbmRleCBh bmQKY2luZm8uaW5kZXggY2FuIGJlIGluZGlyZWN0bHkgY29udHJvbGxlZCBieSB1c2VyLXNwYWNl LCBoZW5jZQpsZWFkaW5nIHRvIGEgcG90ZW50aWFsIGV4cGxvaXRhdGlvbiBvZiB0aGUgU3BlY3Ry ZSB2YXJpYW50IDEKdnVsbmVyYWJpbGl0eS4KClRoaXMgaXNzdWUgd2FzIGRldGVjdGVkIHdpdGgg dGhlIGhlbHAgb2YgU21hdGNoOgoKZHJpdmVycy9oaWQvdXNiaGlkL2hpZGRldi5jOjQ3MyBoaWRk ZXZfaW9jdGxfdXNhZ2UoKSB3YXJuOiBwb3RlbnRpYWwKc3BlY3RyZSBpc3N1ZSAncmVwb3J0LT5m aWVsZCcgKGxvY2FsIGNhcCkKZHJpdmVycy9oaWQvdXNiaGlkL2hpZGRldi5jOjQ3NyBoaWRkZXZf aW9jdGxfdXNhZ2UoKSB3YXJuOiBwb3RlbnRpYWwKc3BlY3RyZSBpc3N1ZSAnZmllbGQtPnVzYWdl JyAobG9jYWwgY2FwKQpkcml2ZXJzL2hpZC91c2JoaWQvaGlkZGV2LmM6NzU3IGhpZGRldl9pb2N0 bCgpIHdhcm46IHBvdGVudGlhbCBzcGVjdHJlCmlzc3VlICdyZXBvcnQtPmZpZWxkJyAobG9jYWwg Y2FwKQpkcml2ZXJzL2hpZC91c2JoaWQvaGlkZGV2LmM6ODAxIGhpZGRldl9pb2N0bCgpIHdhcm46 IHBvdGVudGlhbCBzcGVjdHJlCmlzc3VlICdoaWQtPmNvbGxlY3Rpb24nIChsb2NhbCBjYXApCgpG aXggdGhpcyBieSBzYW5pdGl6aW5nIHN1Y2ggc3RydWN0dXJlIGZpZWxkcyBiZWZvcmUgdXNpbmcg dGhlbSB0byBpbmRleApyZXBvcnQtPmZpZWxkLCBmaWVsZC0+dXNhZ2UgYW5kIGhpZC0+Y29sbGVj dGlvbgoKTm90aWNlIHRoYXQgZ2l2ZW4gdGhhdCBzcGVjdWxhdGlvbiB3aW5kb3dzIGFyZSBsYXJn ZSwgdGhlIHBvbGljeSBpcwp0byBraWxsIHRoZSBzcGVjdWxhdGlvbiBvbiB0aGUgZmlyc3QgbG9h ZCBhbmQgbm90IHdvcnJ5IGlmIGl0IGNhbiBiZQpjb21wbGV0ZWQgd2l0aCBhIGRlcGVuZGVudCBs b2FkL3N0b3JlIFsxXS4KClsxXSBodHRwczovL21hcmMuaW5mby8/bD1saW51eC1rZXJuZWwmbT0x NTI0NDkxMzExMTQ3Nzgmdz0yCgpDYzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwpTaWduZWQtb2Zm LWJ5OiBHdXN0YXZvIEEuIFIuIFNpbHZhIDxndXN0YXZvQGVtYmVkZGVkb3IuY29tPgotLS0KIGRy aXZlcnMvaGlkL3VzYmhpZC9oaWRkZXYuYyB8IDExICsrKysrKysrKysrCiAxIGZpbGUgY2hhbmdl ZCwgMTEgaW5zZXJ0aW9ucygrKQoKZGlmZiAtLWdpdCBhL2RyaXZlcnMvaGlkL3VzYmhpZC9oaWRk ZXYuYyBiL2RyaXZlcnMvaGlkL3VzYmhpZC9oaWRkZXYuYwppbmRleCBlM2NlMjMzLi4yMzg3MmQw IDEwMDY0NAotLS0gYS9kcml2ZXJzL2hpZC91c2JoaWQvaGlkZGV2LmMKKysrIGIvZHJpdmVycy9o aWQvdXNiaGlkL2hpZGRldi5jCkBAIC0zNiw2ICszNiw3IEBACiAjaW5jbHVkZSA8bGludXgvaGlk ZGV2Lmg+CiAjaW5jbHVkZSA8bGludXgvY29tcGF0Lmg+CiAjaW5jbHVkZSA8bGludXgvdm1hbGxv Yy5oPgorI2luY2x1ZGUgPGxpbnV4L25vc3BlYy5oPgogI2luY2x1ZGUgInVzYmhpZC5oIgogCiAj aWZkZWYgQ09ORklHX1VTQl9EWU5BTUlDX01JTk9SUwpAQCAtNDY5LDEwICs0NzAsMTQgQEAgc3Rh dGljIG5vaW5saW5lIGludCBoaWRkZXZfaW9jdGxfdXNhZ2Uoc3RydWN0IGhpZGRldiAqaGlkZGV2 LCB1bnNpZ25lZCBpbnQgY21kLAogCiAJCWlmICh1cmVmLT5maWVsZF9pbmRleCA+PSByZXBvcnQt Pm1heGZpZWxkKQogCQkJZ290byBpbnZhbDsKKwkJdXJlZi0+ZmllbGRfaW5kZXggPSBhcnJheV9p bmRleF9ub3NwZWModXJlZi0+ZmllbGRfaW5kZXgsCisJCQkJCQkgICAgICAgcmVwb3J0LT5tYXhm aWVsZCk7CiAKIAkJZmllbGQgPSByZXBvcnQtPmZpZWxkW3VyZWYtPmZpZWxkX2luZGV4XTsKIAkJ aWYgKHVyZWYtPnVzYWdlX2luZGV4ID49IGZpZWxkLT5tYXh1c2FnZSkKIAkJCWdvdG8gaW52YWw7 CisJCXVyZWYtPnVzYWdlX2luZGV4ID0gYXJyYXlfaW5kZXhfbm9zcGVjKHVyZWYtPnVzYWdlX2lu ZGV4LAorCQkJCQkJICAgICAgIGZpZWxkLT5tYXh1c2FnZSk7CiAKIAkJdXJlZi0+dXNhZ2VfY29k ZSA9IGZpZWxkLT51c2FnZVt1cmVmLT51c2FnZV9pbmRleF0uaGlkOwogCkBAIC00OTksNiArNTA0 LDggQEAgc3RhdGljIG5vaW5saW5lIGludCBoaWRkZXZfaW9jdGxfdXNhZ2Uoc3RydWN0IGhpZGRl diAqaGlkZGV2LCB1bnNpZ25lZCBpbnQgY21kLAogCiAJCQlpZiAodXJlZi0+ZmllbGRfaW5kZXgg Pj0gcmVwb3J0LT5tYXhmaWVsZCkKIAkJCQlnb3RvIGludmFsOworCQkJdXJlZi0+ZmllbGRfaW5k ZXggPSBhcnJheV9pbmRleF9ub3NwZWModXJlZi0+ZmllbGRfaW5kZXgsCisJCQkJCQkJICAgICAg IHJlcG9ydC0+bWF4ZmllbGQpOwogCiAJCQlmaWVsZCA9IHJlcG9ydC0+ZmllbGRbdXJlZi0+Zmll bGRfaW5kZXhdOwogCkBAIC03NTMsNiArNzYwLDggQEAgc3RhdGljIGxvbmcgaGlkZGV2X2lvY3Rs KHN0cnVjdCBmaWxlICpmaWxlLCB1bnNpZ25lZCBpbnQgY21kLCB1bnNpZ25lZCBsb25nIGFyZykK IAogCQlpZiAoZmluZm8uZmllbGRfaW5kZXggPj0gcmVwb3J0LT5tYXhmaWVsZCkKIAkJCWJyZWFr OworCQlmaW5mby5maWVsZF9pbmRleCA9IGFycmF5X2luZGV4X25vc3BlYyhmaW5mby5maWVsZF9p bmRleCwKKwkJCQkJCSAgICAgICByZXBvcnQtPm1heGZpZWxkKTsKIAogCQlmaWVsZCA9IHJlcG9y dC0+ZmllbGRbZmluZm8uZmllbGRfaW5kZXhdOwogCQltZW1zZXQoJmZpbmZvLCAwLCBzaXplb2Yo ZmluZm8pKTsKQEAgLTc5Nyw2ICs4MDYsOCBAQCBzdGF0aWMgbG9uZyBoaWRkZXZfaW9jdGwoc3Ry dWN0IGZpbGUgKmZpbGUsIHVuc2lnbmVkIGludCBjbWQsIHVuc2lnbmVkIGxvbmcgYXJnKQogCiAJ CWlmIChjaW5mby5pbmRleCA+PSBoaWQtPm1heGNvbGxlY3Rpb24pCiAJCQlicmVhazsKKwkJY2lu Zm8uaW5kZXggPSBhcnJheV9pbmRleF9ub3NwZWMoY2luZm8uaW5kZXgsCisJCQkJCQkgaGlkLT5t YXhjb2xsZWN0aW9uKTsKIAogCQljaW5mby50eXBlID0gaGlkLT5jb2xsZWN0aW9uW2NpbmZvLmlu ZGV4XS50eXBlOwogCQljaW5mby51c2FnZSA9IGhpZC0+Y29sbGVjdGlvbltjaW5mby5pbmRleF0u dXNhZ2U7Cg==