All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] drm/bufs: Fix Spectre v1 vulnerability
@ 2018-10-16  9:55 Gustavo A. R. Silva
  2018-10-17  7:19 ` Daniel Vetter
  0 siblings, 1 reply; 3+ messages in thread
From: Gustavo A. R. Silva @ 2018-10-16  9:55 UTC (permalink / raw)
  To: Maarten Lankhorst, Maxime Ripard, Sean Paul, David Airlie
  Cc: dri-devel, linux-kernel, Gustavo A. R. Silva

idx can be indirectly controlled by user-space, hence leading to a
potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential
spectre issue 'dma->buflist' [r] (local cap)

Fix this by sanitizing idx before using it to index dma->buflist

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
 drivers/gpu/drm/drm_bufs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
index 7412aca..d7d10ca 100644
--- a/drivers/gpu/drm/drm_bufs.c
+++ b/drivers/gpu/drm/drm_bufs.c
@@ -36,6 +36,8 @@
 #include <drm/drmP.h>
 #include "drm_legacy.h"
 
+#include <linux/nospec.h>
+
 static struct drm_map_list *drm_find_matching_map(struct drm_device *dev,
 						  struct drm_local_map *map)
 {
@@ -1417,6 +1419,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data,
 				  idx, dma->buf_count - 1);
 			return -EINVAL;
 		}
+		idx = array_index_nospec(idx, dma->buf_count);
 		buf = dma->buflist[idx];
 		if (buf->file_priv != file_priv) {
 			DRM_ERROR("Process %d freeing buffer not owned\n",
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] drm/bufs: Fix Spectre v1 vulnerability
  2018-10-16  9:55 [PATCH] drm/bufs: Fix Spectre v1 vulnerability Gustavo A. R. Silva
@ 2018-10-17  7:19 ` Daniel Vetter
  2018-10-17 10:35   ` Gustavo A. R. Silva
  0 siblings, 1 reply; 3+ messages in thread
From: Daniel Vetter @ 2018-10-17  7:19 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: Maarten Lankhorst, Maxime Ripard, Sean Paul, David Airlie,
	linux-kernel, dri-devel

On Tue, Oct 16, 2018 at 11:55:49AM +0200, Gustavo A. R. Silva wrote:
> idx can be indirectly controlled by user-space, hence leading to a
> potential exploitation of the Spectre variant 1 vulnerability.
> 
> This issue was detected with the help of Smatch:
> 
> drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential
> spectre issue 'dma->buflist' [r] (local cap)
> 
> Fix this by sanitizing idx before using it to index dma->buflist
> 
> Notice that given that speculation windows are large, the policy is
> to kill the speculation on the first load and not worry if it can be
> completed with a dependent load/store [1].
> 
> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

Applied since it's correct, but I dropped the cc: stable. This code is
very dead and full of security issues, and spectre is the least of your
worries. If you want to a stab at fixing the real spectre issues in drm,
then look anywhere that isn't full of drm_legacy_* functions.

The most important file is probably drm_ioctl.c.
-Daniel

> ---
>  drivers/gpu/drm/drm_bufs.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
> index 7412aca..d7d10ca 100644
> --- a/drivers/gpu/drm/drm_bufs.c
> +++ b/drivers/gpu/drm/drm_bufs.c
> @@ -36,6 +36,8 @@
>  #include <drm/drmP.h>
>  #include "drm_legacy.h"
>  
> +#include <linux/nospec.h>
> +
>  static struct drm_map_list *drm_find_matching_map(struct drm_device *dev,
>  						  struct drm_local_map *map)
>  {
> @@ -1417,6 +1419,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data,
>  				  idx, dma->buf_count - 1);
>  			return -EINVAL;
>  		}
> +		idx = array_index_nospec(idx, dma->buf_count);
>  		buf = dma->buflist[idx];
>  		if (buf->file_priv != file_priv) {
>  			DRM_ERROR("Process %d freeing buffer not owned\n",
> -- 
> 2.7.4
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] drm/bufs: Fix Spectre v1 vulnerability
  2018-10-17  7:19 ` Daniel Vetter
@ 2018-10-17 10:35   ` Gustavo A. R. Silva
  0 siblings, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2018-10-17 10:35 UTC (permalink / raw)
  To: Maarten Lankhorst, Maxime Ripard, Sean Paul, David Airlie,
	linux-kernel, dri-devel



On 10/17/18 9:19 AM, Daniel Vetter wrote:

>> Cc: stable@vger.kernel.org
>> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
> 
> Applied since it's correct, but I dropped the cc: stable. This code is
> very dead and full of security issues, and spectre is the least of your
> worries. If you want to a stab at fixing the real spectre issues in drm,
> then look anywhere that isn't full of drm_legacy_* functions.
>

OK. I've got it.

> The most important file is probably drm_ioctl.c.
> -Daniel
> 

Thanks for the feedback, Daniel.
--
Gustavo

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-10-17 10:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-10-16  9:55 [PATCH] drm/bufs: Fix Spectre v1 vulnerability Gustavo A. R. Silva
2018-10-17  7:19 ` Daniel Vetter
2018-10-17 10:35   ` Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.