From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Zhenyu Wang <zhenyuw@linux.intel.com>
Subject: [PATCH 4.18 09/22] drm/i915/kvmgt: Fix potential Spectre v1
Date: Thu, 23 Aug 2018 09:56:35 +0200 [thread overview]
Message-ID: <20180823074759.753464908@linuxfoundation.org> (raw)
In-Reply-To: <20180823074759.234685844@linuxfoundation.org>
4.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavo@embeddedor.com>
commit de5372da605d3bca46e3102bab51b7e1c0e0a6f6 upstream.
info.index can be indirectly controlled by user-space, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/gpu/drm/i915/gvt/kvmgt.c:1232 intel_vgpu_ioctl() warn:
potential spectre issue 'vgpu->vdev.region' [r]
Fix this by sanitizing info.index before indirectly using it to index
vgpu->vdev.region
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gvt/kvmgt.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
+++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
@@ -43,6 +43,8 @@
#include <linux/mdev.h>
#include <linux/debugfs.h>
+#include <linux/nospec.h>
+
#include "i915_drv.h"
#include "gvt.h"
@@ -1084,7 +1086,8 @@ static long intel_vgpu_ioctl(struct mdev
} else if (cmd == VFIO_DEVICE_GET_REGION_INFO) {
struct vfio_region_info info;
struct vfio_info_cap caps = { .buf = NULL, .size = 0 };
- int i, ret;
+ unsigned int i;
+ int ret;
struct vfio_region_info_cap_sparse_mmap *sparse = NULL;
size_t size;
int nr_areas = 1;
@@ -1169,6 +1172,10 @@ static long intel_vgpu_ioctl(struct mdev
if (info.index >= VFIO_PCI_NUM_REGIONS +
vgpu->vdev.num_regions)
return -EINVAL;
+ info.index =
+ array_index_nospec(info.index,
+ VFIO_PCI_NUM_REGIONS +
+ vgpu->vdev.num_regions);
i = info.index - VFIO_PCI_NUM_REGIONS;
next prev parent reply other threads:[~2018-08-23 9:11 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-23 7:56 [PATCH 4.18 00/22] 4.18.5-stable review Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 02/22] pty: fix O_CLOEXEC for TIOCGPTPEER Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 03/22] mm: Allow non-direct-map arguments to free_reserved_area() Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 04/22] x86/mm/init: Pass unconverted symbol addresses to free_init_pages() Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 05/22] x86/mm/init: Add helper for freeing kernel image pages Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 06/22] x86/mm/init: Remove freed kernel image areas from alias mapping Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 07/22] powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 08/22] ext4: fix spectre gadget in ext4_mb_regular_allocator() Greg Kroah-Hartman
2018-08-23 7:56 ` Greg Kroah-Hartman [this message]
2018-08-23 7:56 ` [PATCH 4.18 10/22] drm/amdgpu/pm: Fix potential Spectre v1 Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 14/22] PCI / ACPI / PM: Resume all bridges on suspend-to-RAM Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 15/22] PCI: hotplug: Dont leak pci_slot on registration failure Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 16/22] PCI: aardvark: Size bridges before resources allocation Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 17/22] PCI: Skip MPS logic for Virtual Functions (VFs) Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 18/22] PCI: pciehp: Fix use-after-free on unplug Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 19/22] PCI: pciehp: Fix unprotected list iteration in IRQ handler Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 20/22] i2c: core: ACPI: Properly set status byte to 0 for multi-byte writes Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 22/22] reiserfs: fix broken xattr handling (heap corruption, bad retval) Greg Kroah-Hartman
2018-08-23 19:20 ` [PATCH 4.18 00/22] 4.18.5-stable review Shuah Khan
2018-08-23 20:34 ` Greg Kroah-Hartman
2018-08-23 20:12 ` Guenter Roeck
2018-08-23 20:52 ` Greg Kroah-Hartman
2018-08-24 5:07 ` Naresh Kamboju
2018-08-24 6:18 ` Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2018-08-23 7:56 [4.18,01/22] EDAC: Add missing MEM_LRDDR4 entry in edac_mem_types[] Greg Kroah-Hartman
2018-08-23 7:56 ` [PATCH 4.18 01/22] " Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180823074759.753464908@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zhenyuw@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.