[PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability
@ 2018-12-18 17:18 Gustavo A. R. Silva
  2018-12-18 23:48 ` Sasha Levin
  2018-12-19 13:37   ` Takashi Iwai
  0 siblings, 2 replies; 4+ messages in thread
From: Gustavo A. R. Silva @ 2018-12-18 17:18 UTC (permalink / raw)
  To: Jaroslav Kysela, Takashi Iwai
  Cc: alsa-devel, linux-kernel, Gustavo A. R. Silva

info->channel is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/pci/rme9652/hdsp.c:4100 snd_hdsp_channel_info() warn: potential spectre issue 'hdsp->channel_map' [r] (local cap)

Fix this by sanitizing info->channel before using it to index hdsp->channel_map

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

Also, notice that I refactored the code a bit in order to get rid of the
following checkpatch warning:

ERROR: do not use assignment in if condition
FILE: sound/pci/rme9652/hdsp.c:4103:
	if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)


[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
 sound/pci/rme9652/hdsp.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
index 1bff4b1b39cd..ba99ff0e93e0 100644
--- a/sound/pci/rme9652/hdsp.c
+++ b/sound/pci/rme9652/hdsp.c
@@ -30,6 +30,7 @@
 #include <linux/math64.h>
 #include <linux/vmalloc.h>
 #include <linux/io.h>
+#include <linux/nospec.h>
 
 #include <sound/core.h>
 #include <sound/control.h>
@@ -4092,15 +4093,16 @@ static int snd_hdsp_channel_info(struct snd_pcm_substream *substream,
 				    struct snd_pcm_channel_info *info)
 {
 	struct hdsp *hdsp = snd_pcm_substream_chip(substream);
-	int mapped_channel;
+	unsigned int channel = info->channel;
 
-	if (snd_BUG_ON(info->channel >= hdsp->max_channels))
+	if (snd_BUG_ON(channel >= hdsp->max_channels))
 		return -EINVAL;
+	channel = array_index_nospec(channel, hdsp->max_channels);
 
-	if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
+	if (hdsp->channel_map[channel] < 0)
 		return -EINVAL;
 
-	info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES;
+	info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES;
 	info->first = 0;
 	info->step = 32;
 	return 0;
-- 
2.19.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability
  2018-12-18 17:18 [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability Gustavo A. R. Silva
@ 2018-12-18 23:48 ` Sasha Levin
  2018-12-19 13:37   ` Takashi Iwai
  1 sibling, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2018-12-18 23:48 UTC (permalink / raw)
  To: Sasha Levin, Gustavo A. R. Silva, Jaroslav Kysela, Takashi Iwai
  Cc: alsa-devel, linux-kernel, stable

Hi,

[This is an automated email]

This commit has been processed because it contains a -stable tag.
The stable tag indicates that it's relevant for the following trees: all

The bot has tested the following trees: v4.19.10, v4.14.89, v4.9.146, v4.4.168, v3.18.130, 

v4.19.10: Build OK!
v4.14.89: Build OK!
v4.9.146: Build OK!
v4.4.168: Build OK!
v3.18.130: Failed to apply! Possible dependencies:
    6cbbfe1c8ddb ("ALSA: Include linux/io.h instead of asm/io.h")


How should we proceed with this patch?

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability
  2018-12-18 17:18 [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability Gustavo A. R. Silva
@ 2018-12-19 13:37   ` Takashi Iwai
  2018-12-19 13:37   ` Takashi Iwai
  1 sibling, 0 replies; 4+ messages in thread
From: Takashi Iwai @ 2018-12-19 13:37 UTC (permalink / raw)
  To:  Gustavo A. R. Silva ; +Cc: Jaroslav Kysela, alsa-devel, linux-kernel

On Tue, 18 Dec 2018 18:18:34 +0100,
 Gustavo A. R. Silva  wrote:
> 
> info->channel is indirectly controlled by user-space, hence leading to
> a potential exploitation of the Spectre variant 1 vulnerability.
> 
> This issue was detected with the help of Smatch:
> 
> sound/pci/rme9652/hdsp.c:4100 snd_hdsp_channel_info() warn: potential spectre issue 'hdsp->channel_map' [r] (local cap)
> 
> Fix this by sanitizing info->channel before using it to index hdsp->channel_map
> 
> Notice that given that speculation windows are large, the policy is
> to kill the speculation on the first load and not worry if it can be
> completed with a dependent load/store [1].
> 
> Also, notice that I refactored the code a bit in order to get rid of the
> following checkpatch warning:
> 
> ERROR: do not use assignment in if condition
> FILE: sound/pci/rme9652/hdsp.c:4103:
> 	if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
> 
> 
> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

Applied, thanks.


Takashi

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability
@ 2018-12-19 13:37   ` Takashi Iwai
  0 siblings, 0 replies; 4+ messages in thread
From: Takashi Iwai @ 2018-12-19 13:37 UTC (permalink / raw)
  To:  Gustavo A. R. Silva ; +Cc: Jaroslav Kysela, alsa-devel, linux-kernel

On Tue, 18 Dec 2018 18:18:34 +0100,
 Gustavo A. R. Silva  wrote:
> 
> info->channel is indirectly controlled by user-space, hence leading to
> a potential exploitation of the Spectre variant 1 vulnerability.
> 
> This issue was detected with the help of Smatch:
> 
> sound/pci/rme9652/hdsp.c:4100 snd_hdsp_channel_info() warn: potential spectre issue 'hdsp->channel_map' [r] (local cap)
> 
> Fix this by sanitizing info->channel before using it to index hdsp->channel_map
> 
> Notice that given that speculation windows are large, the policy is
> to kill the speculation on the first load and not worry if it can be
> completed with a dependent load/store [1].
> 
> Also, notice that I refactored the code a bit in order to get rid of the
> following checkpatch warning:
> 
> ERROR: do not use assignment in if condition
> FILE: sound/pci/rme9652/hdsp.c:4103:
> 	if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
> 
> 
> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

Applied, thanks.


Takashi

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-12-19 13:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-18 17:18 [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability Gustavo A. R. Silva
2018-12-18 23:48 ` Sasha Levin
2018-12-19 13:37 ` Takashi Iwai
2018-12-19 13:37   ` Takashi Iwai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.