From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.18 64/88] arm64: fix possible spectre-v1 write in ptrace_hbp_set_event()
Date: Fri, 7 Sep 2018 00:36:38 +0000 [thread overview]
Message-ID: <20180907003547.57567-64-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180907003547.57567-1-alexander.levin@microsoft.com>
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 14d6e289a89780377f8bb09de8926d3c62d763cd ]
It's possible for userspace to control idx. Sanitize idx when using it
as an array index, to inhibit the potential spectre-v1 write gadget.
Found by smatch.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
arch/arm64/kernel/ptrace.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 5c338ce5a7fa..db5440339ab3 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -277,19 +277,22 @@ static int ptrace_hbp_set_event(unsigned int note_type,
switch (note_type) {
case NT_ARM_HW_BREAK:
- if (idx < ARM_MAX_BRP) {
- tsk->thread.debug.hbp_break[idx] = bp;
- err = 0;
- }
+ if (idx >= ARM_MAX_BRP)
+ goto out;
+ idx = array_index_nospec(idx, ARM_MAX_BRP);
+ tsk->thread.debug.hbp_break[idx] = bp;
+ err = 0;
break;
case NT_ARM_HW_WATCH:
- if (idx < ARM_MAX_WRP) {
- tsk->thread.debug.hbp_watch[idx] = bp;
- err = 0;
- }
+ if (idx >= ARM_MAX_WRP)
+ goto out;
+ idx = array_index_nospec(idx, ARM_MAX_WRP);
+ tsk->thread.debug.hbp_watch[idx] = bp;
+ err = 0;
break;
}
+out:
return err;
}
--
2.17.1
next prev parent reply other threads:[~2018-09-07 0:57 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-07 0:35 [PATCH AUTOSEL 4.18 01/88] usb: dwc3: change stream event enable bit back to 13 Sasha Levin
2018-09-07 0:35 ` [PATCH AUTOSEL 4.18 02/88] usb: usbtest: use irqsave() in USB's complete callback Sasha Levin
2018-09-07 5:42 ` Greg Kroah-Hartman
2018-09-12 17:38 ` Sasha Levin
2018-09-07 0:35 ` [PATCH AUTOSEL 4.18 03/88] iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register Sasha Levin
2018-09-07 0:35 ` [PATCH AUTOSEL 4.18 04/88] iommu/arm-smmu: Error out only if not enough context interrupts Sasha Levin
2018-09-07 0:35 ` [PATCH AUTOSEL 4.18 05/88] iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the PTE Sasha Levin
2018-09-07 0:35 ` [PATCH AUTOSEL 4.18 06/88] iommu/io-pgtable-arm: Fix pgtable allocation in selftest Sasha Levin
2018-09-07 0:35 ` [PATCH AUTOSEL 4.18 07/88] ALSA: pcm: Add __force to cast in snd_pcm_lib_read/write() Sasha Levin
2018-09-07 0:35 ` [PATCH AUTOSEL 4.18 08/88] ALSA: msnd: Fix the default sample sizes Sasha Levin
2018-09-07 0:35 ` [PATCH AUTOSEL 4.18 09/88] ALSA: usb-audio: Add support for Encore mDSD USB DAC Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 11/88] xfrm: fix 'passing zero to ERR_PTR()' warning Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 10/88] ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 12/88] amd-xgbe: use dma_mapping_error to check map errors Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 13/88] nfp: don't fail probe on pci_sriov_set_totalvfs() errors Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 14/88] iwlwifi: cancel the injective function between hw pointers to tfd entry index Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 15/88] gfs2: Special-case rindex for gfs2_grow Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 17/88] clk: imx6sll: fix missing of_node_put() Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 16/88] clk: imx6ul: " Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 18/88] clk: mvebu: armada-37xx-periph: Fix wrong return value in get_parent Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 19/88] Input: pxrc - fix freeing URB on device teardown Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 20/88] clk: core: Potentially free connection id Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 22/88] kbuild: add .DELETE_ON_ERROR special target Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 21/88] clk: clk-fixed-factor: Clear OF_POPULATED flag in case of failure Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 23/88] kbuild: do not update config when running install targets Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 24/88] media: tw686x: Fix oops on buffer alloc failure Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 25/88] dmaengine: pl330: fix irq race with terminate_all Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 26/88] MIPS: ath79: fix system restart Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 27/88] media: videobuf2-core: check for q->error in vb2_core_qbuf() Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 28/88] IB/rxe: Drop QP0 silently Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 29/88] block: allow max_discard_segments to be stacked Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 30/88] IB/ipoib: Fix error return code in ipoib_dev_init() Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 31/88] mtd/maps: fix solutionengine.c printk format warnings Sasha Levin
2018-09-07 0:36 ` Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 33/88] perf test: Fix subtest number when showing results Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 32/88] media: ov5645: Supported external clock is 24MHz Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 34/88] gfs2: Don't reject a supposedly full bitmap if we have blocks reserved Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 35/88] ARM: exynos: Define EINT_WAKEUP_MASK registers for S5Pv210 and Exynos5433 Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 36/88] perf tools: Synthesize GROUP_DESC feature in pipe mode Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 37/88] iio: ad9523: Fix displayed phase Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 38/88] iio: sca3000: Fix missing return in switch Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 39/88] perf tests: Fix record+probe_libc_inet_pton.sh for powerpc64 Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 40/88] perf tests: Fix record+probe_libc_inet_pton.sh when event exists Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 41/88] perf tests: Fix record+probe_libc_inet_pton.sh to ensure cleanups Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 42/88] fbdev: omapfb: off by one in omapfb_register_client() Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 43/88] perf tools: Fix struct comm_str removal crash Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 44/88] video: goldfishfb: fix memory leak on driver remove Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 45/88] fbdev/via: fix defined but not used warning Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 46/88] perf powerpc: Fix callchain ip filtering when return address is in a register Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 48/88] fbdev: Distinguish between interlaced and progressive modes Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 47/88] video: fbdev: pxafb: clear allocated memory for video modes Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 49/88] omapfb: rename omap2 module to omap2fb.ko Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 51/88] perf powerpc: Fix callchain ip filtering Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 50/88] ARM: exynos: Clear global variable on init error path Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 52/88] nvmet: fix file discard return status Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 54/88] KVM: arm/arm64: vgic: Fix possible spectre-v1 write in vgic_mmio_write_apr() Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 53/88] nvme-rdma: unquiesce queues when deleting the controller Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 55/88] powerpc/powernv: opal_put_chars partial write fix Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 56/88] perf script: Show correct offsets for DWARF-based unwinding Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 57/88] staging: bcm2835-camera: fix timeout handling in wait_for_completion_timeout Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 58/88] staging: bcm2835-camera: handle wait_for_completion_timeout return properly Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 59/88] ASoC: rt5514: Fix the issue of the delay volume applied Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 60/88] MIPS: jz4740: Bump zload address Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 61/88] mac80211: restrict delayed tailroom needed decrement Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 62/88] Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 63/88] wan/fsl_ucc_hdlc: use IS_ERR_VALUE() to check return value of qe_muram_alloc Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 65/88] reset: imx7: Fix always writing bits as 0 Sasha Levin
2018-09-07 0:36 ` Sasha Levin [this message]
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 66/88] efi/arm: preserve early mapping of UEFI memory map longer for BGRT Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 67/88] ALSA: usb-audio: Generic DSD detection for Thesycon-based implementations Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 68/88] nfp: avoid buffer leak when FW communication fails Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 70/88] arm64: dts: qcom: db410c: Fix Bluetooth LED trigger Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 69/88] xen-netfront: fix queue name setting Sasha Levin
2018-09-07 17:33 ` Boris Ostrovsky
2018-09-12 17:39 ` Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 71/88] ARM: dts: qcom: msm8974-hammerhead: increase load on l20 for sdhci Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 72/88] soc: qcom: smem: Correct check for global partition Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 73/88] s390/qeth: fix race in used-buffer accounting Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 74/88] s390/qeth: reset layer2 attribute on layer switch Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 76/88] KVM: arm/arm64: Fix vgic init race Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 75/88] platform/x86: toshiba_acpi: Fix defined but not used build warnings Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 77/88] drivers/base: stop new probing during shutdown Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 78/88] i2c: aspeed: Fix initial values of master and slave state Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 79/88] drm/amd/pp: Set Max clock level to display by default Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 81/88] regulator: qcom_spmi: Fix warning Bad of_node_put() Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 80/88] regulator: qcom_spmi: Use correct regmap when checking for error Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 82/88] iommu/ipmmu-vmsa: IMUCTRn.TTSEL needs a special usage on R-Car Gen3 Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 83/88] dmaengine: mv_xor_v2: kill the tasklets upon exit Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 84/88] crypto: sharah - Unregister correct algorithms for SAHARA 3 Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 85/88] x86/pti: Check the return value of pti_user_pagetable_walk_p4d() Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 86/88] x86/pti: Check the return value of pti_user_pagetable_walk_pmd() Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 87/88] x86/mm/pti: Add an overflow check to pti_clone_pmds() Sasha Levin
2018-09-07 0:36 ` [PATCH AUTOSEL 4.18 88/88] PCI/AER: Honor "pcie_ports=native" even if HEST sets FIRMWARE_FIRST Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180907003547.57567-64-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=catalin.marinas@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=stable@vger.kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.