From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Jason Wang <jasowang@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 09/24] vhost: Fix Spectre V1 vulnerability
Date: Fri, 2 Nov 2018 19:34:42 +0100 [thread overview]
Message-ID: <20181102182841.150614489@linuxfoundation.org> (raw)
In-Reply-To: <20181102182839.725385066@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
[ Upstream commit ff002269a4ee9c769dbf9365acef633ebcbd6cbe ]
The idx in vhost_vring_ioctl() was controlled by userspace, hence a
potential exploitation of the Spectre variant 1 vulnerability.
Fixing this by sanitizing idx before using it to index d->vqs.
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vhost.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -30,6 +30,7 @@
#include <linux/sched/mm.h>
#include <linux/sched/signal.h>
#include <linux/interval_tree_generic.h>
+#include <linux/nospec.h>
#include "vhost.h"
@@ -1397,6 +1398,7 @@ long vhost_vring_ioctl(struct vhost_dev
if (idx >= d->nvqs)
return -ENOBUFS;
+ idx = array_index_nospec(idx, d->nvqs);
vq = d->vqs[idx];
mutex_lock(&vq->mutex);
next prev parent reply other threads:[~2018-11-02 18:37 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-02 18:34 [PATCH 4.19 00/24] 4.19.1-stable review Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 01/24] bridge: do not add port to router list when receives query with source 0.0.0.0 Greg Kroah-Hartman
2019-02-17 14:29 ` Sebastian Gottschall
2019-02-17 16:48 ` Greg Kroah-Hartman
2019-02-18 10:18 ` Sebastian Gottschall
2019-02-20 12:48 ` Sebastian Gottschall
2019-02-20 13:09 ` Nikolay Aleksandrov
2019-02-20 13:11 ` Nikolay Aleksandrov
2019-02-20 14:46 ` Hangbin Liu
2019-02-21 12:50 ` Sebastian Gottschall
2019-02-21 11:41 ` Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 02/24] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 03/24] net/mlx5e: fix csum adjustments caused by RXFCS Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 04/24] net: sched: gred: pass the right attribute to gred_change_table_def() Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 05/24] net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 06/24] net: udp: fix handling of CHECKSUM_COMPLETE packets Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 07/24] Revert "net: simplify sock_poll_wait" Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 08/24] rtnetlink: Disallow FDB configuration for non-Ethernet device Greg Kroah-Hartman
2018-11-02 18:34 ` Greg Kroah-Hartman [this message]
2018-11-02 18:34 ` [PATCH 4.19 10/24] bonding: fix length of actor system Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 11/24] openvswitch: Fix push/pop ethernet validation Greg Kroah-Hartman
2018-11-02 18:34 ` Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 12/24] net/ipv6: Allow onlink routes to have a device mismatch if it is the default route Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 13/24] net/smc: fix smc_buf_unuse to use the lgr pointer Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 14/24] mlxsw: spectrum_switchdev: Dont ignore deletions of learned MACs Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 15/24] mlxsw: core: Fix devlink unregister flow Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 16/24] net: drop skb on failure in ip_check_defrag() Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 17/24] net: Properly unlink GRO packets on overflow Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 18/24] r8169: fix broken Wake-on-LAN from S5 (poweroff) Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 19/24] Revert "be2net: remove desc field from be_eq_obj" Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 20/24] sctp: check policy more carefully when getting pr status Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 21/24] sparc64: Export __node_distance Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 22/24] sparc64: Make corrupted user stacks more debuggable Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 23/24] sparc64: Wire up compat getpeername and getsockname Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 24/24] net: bridge: remove ipv6 zero address check in mcast queries Greg Kroah-Hartman
2018-11-03 14:33 ` [PATCH 4.19 00/24] 4.19.1-stable review Guenter Roeck
2018-11-04 4:24 ` Naresh Kamboju
2018-11-04 7:10 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181102182841.150614489@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aarcange@redhat.com \
--cc=davem@davemloft.net \
--cc=jasowang@redhat.com \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.