From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Vetter Subject: Re: [PATCH] drm/ioctl: Fix Spectre v1 vulnerabilities Date: Thu, 20 Dec 2018 08:14:05 +0100 Message-ID: <20181220071404.GD21184@phenom.ffwll.local> References: <20181220000015.GA18973@embeddedor> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) by gabe.freedesktop.org (Postfix) with ESMTPS id 36CCB6F23D for ; Thu, 20 Dec 2018 07:14:09 +0000 (UTC) Received: by mail-ed1-x543.google.com with SMTP id p6so848885eds.0 for ; Wed, 19 Dec 2018 23:14:09 -0800 (PST) Content-Disposition: inline In-Reply-To: <20181220000015.GA18973@embeddedor> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: "Gustavo A. R. Silva" Cc: Maxime Ripard , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, David Airlie , Sean Paul List-Id: dri-devel@lists.freedesktop.org T24gV2VkLCBEZWMgMTksIDIwMTggYXQgMDY6MDA6MTVQTSAtMDYwMCwgR3VzdGF2byBBLiBSLiBT aWx2YSB3cm90ZToKPiBuciBpcyBpbmRpcmVjdGx5IGNvbnRyb2xsZWQgYnkgdXNlci1zcGFjZSwg aGVuY2UgbGVhZGluZyB0byBhCj4gcG90ZW50aWFsIGV4cGxvaXRhdGlvbiBvZiB0aGUgU3BlY3Ry ZSB2YXJpYW50IDEgdnVsbmVyYWJpbGl0eS4KPiAKPiBUaGlzIGlzc3VlIHdhcyBkZXRlY3RlZCB3 aXRoIHRoZSBoZWxwIG9mIFNtYXRjaDoKPiAKPiBkcml2ZXJzL2dwdS9kcm0vZHJtX2lvY3RsLmM6 ODA1IGRybV9pb2N0bCgpIHdhcm46IHBvdGVudGlhbCBzcGVjdHJlIGlzc3VlICdkZXYtPmRyaXZl ci0+aW9jdGxzJyBbcl0KPiBkcml2ZXJzL2dwdS9kcm0vZHJtX2lvY3RsLmM6ODEwIGRybV9pb2N0 bCgpIHdhcm46IHBvdGVudGlhbCBzcGVjdHJlIGlzc3VlICdkcm1faW9jdGxzJyBbcl0gKGxvY2Fs IGNhcCkKPiBkcml2ZXJzL2dwdS9kcm0vZHJtX2lvY3RsLmM6ODkyIGRybV9pb2N0bF9mbGFncygp IHdhcm46IHBvdGVudGlhbCBzcGVjdHJlIGlzc3VlICdkcm1faW9jdGxzJyBbcl0gKGxvY2FsIGNh cCkKPiAKPiBGaXggdGhpcyBieSBzYW5pdGl6aW5nIG5yIGJlZm9yZSB1c2luZyBpdCB0byBpbmRl eCBkZXYtPmRyaXZlci0+aW9jdGxzCj4gYW5kIGRybV9pb2N0bHMuCj4gCj4gTm90aWNlIHRoYXQg Z2l2ZW4gdGhhdCBzcGVjdWxhdGlvbiB3aW5kb3dzIGFyZSBsYXJnZSwgdGhlIHBvbGljeSBpcwo+ IHRvIGtpbGwgdGhlIHNwZWN1bGF0aW9uIG9uIHRoZSBmaXJzdCBsb2FkIGFuZCBub3Qgd29ycnkg aWYgaXQgY2FuIGJlCj4gY29tcGxldGVkIHdpdGggYSBkZXBlbmRlbnQgbG9hZC9zdG9yZSBbMV0u Cj4gCj4gWzFdIGh0dHBzOi8vbWFyYy5pbmZvLz9sPWxpbnV4LWtlcm5lbCZtPTE1MjQ0OTEzMTEx NDc3OCZ3PTIKPiAKPiBDYzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwo+IFNpZ25lZC1vZmYtYnk6 IEd1c3Rhdm8gQS4gUi4gU2lsdmEgPGd1c3Rhdm9AZW1iZWRkZWRvci5jb20+CgpsZ3RtIGFuZCBJ IHRoaW5rIHRoZXJlJ3Mgbm8gb3RoZXIgb2J2aW91cyBwbGFjZSB3aGVyZSB3ZSBuZWVkCmFycmF5 X2luZGV4X25vc3BlYyBpbiBkcm0gY29yZS4gQXBwbGllZCB0byBkcm0tbWlzYy1maXhlcy4KLURh bmllbAoKPiAtLS0KPiAgZHJpdmVycy9ncHUvZHJtL2RybV9pb2N0bC5jIHwgMTAgKysrKysrKyst LQo+ICAxIGZpbGUgY2hhbmdlZCwgOCBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQo+IAo+ IGRpZmYgLS1naXQgYS9kcml2ZXJzL2dwdS9kcm0vZHJtX2lvY3RsLmMgYi9kcml2ZXJzL2dwdS9k cm0vZHJtX2lvY3RsLmMKPiBpbmRleCA5NGJkODcyZDU2YzQuLjdlNjc0NmIyZDcwNCAxMDA2NDQK PiAtLS0gYS9kcml2ZXJzL2dwdS9kcm0vZHJtX2lvY3RsLmMKPiArKysgYi9kcml2ZXJzL2dwdS9k cm0vZHJtX2lvY3RsLmMKPiBAQCAtMzcsNiArMzcsNyBAQAo+ICAKPiAgI2luY2x1ZGUgPGxpbnV4 L3BjaS5oPgo+ICAjaW5jbHVkZSA8bGludXgvZXhwb3J0Lmg+Cj4gKyNpbmNsdWRlIDxsaW51eC9u b3NwZWMuaD4KPiAgCj4gIC8qKgo+ICAgKiBET0M6IGdldHVuaXF1ZSBhbmQgc2V0dmVyc2lvbiBz dG9yeQo+IEBAIC04MDAsMTMgKzgwMSwxNyBAQCBsb25nIGRybV9pb2N0bChzdHJ1Y3QgZmlsZSAq ZmlscCwKPiAgCj4gIAlpZiAoaXNfZHJpdmVyX2lvY3RsKSB7Cj4gIAkJLyogZHJpdmVyIGlvY3Rs ICovCj4gLQkJaWYgKG5yIC0gRFJNX0NPTU1BTkRfQkFTRSA+PSBkZXYtPmRyaXZlci0+bnVtX2lv Y3RscykKPiArCQl1bnNpZ25lZCBpbnQgaW5kZXggPSBuciAtIERSTV9DT01NQU5EX0JBU0U7Cj4g Kwo+ICsJCWlmIChpbmRleCA+PSBkZXYtPmRyaXZlci0+bnVtX2lvY3RscykKPiAgCQkJZ290byBl cnJfaTE7Cj4gLQkJaW9jdGwgPSAmZGV2LT5kcml2ZXItPmlvY3Rsc1tuciAtIERSTV9DT01NQU5E X0JBU0VdOwo+ICsJCWluZGV4ID0gYXJyYXlfaW5kZXhfbm9zcGVjKGluZGV4LCBkZXYtPmRyaXZl ci0+bnVtX2lvY3Rscyk7Cj4gKwkJaW9jdGwgPSAmZGV2LT5kcml2ZXItPmlvY3Rsc1tpbmRleF07 Cj4gIAl9IGVsc2Ugewo+ICAJCS8qIGNvcmUgaW9jdGwgKi8KPiAgCQlpZiAobnIgPj0gRFJNX0NP UkVfSU9DVExfQ09VTlQpCj4gIAkJCWdvdG8gZXJyX2kxOwo+ICsJCW5yID0gYXJyYXlfaW5kZXhf bm9zcGVjKG5yLCBEUk1fQ09SRV9JT0NUTF9DT1VOVCk7Cj4gIAkJaW9jdGwgPSAmZHJtX2lvY3Rs c1tucl07Cj4gIAl9Cj4gIAo+IEBAIC04ODgsNiArODkzLDcgQEAgYm9vbCBkcm1faW9jdGxfZmxh Z3ModW5zaWduZWQgaW50IG5yLCB1bnNpZ25lZCBpbnQgKmZsYWdzKQo+ICAKPiAgCWlmIChuciA+ PSBEUk1fQ09SRV9JT0NUTF9DT1VOVCkKPiAgCQlyZXR1cm4gZmFsc2U7Cj4gKwluciA9IGFycmF5 X2luZGV4X25vc3BlYyhuciwgRFJNX0NPUkVfSU9DVExfQ09VTlQpOwo+ICAKPiAgCSpmbGFncyA9 IGRybV9pb2N0bHNbbnJdLmZsYWdzOwo+ICAJcmV0dXJuIHRydWU7Cj4gLS0gCj4gMi4yMC4xCj4g CgotLSAKRGFuaWVsIFZldHRlcgpTb2Z0d2FyZSBFbmdpbmVlciwgSW50ZWwgQ29ycG9yYXRpb24K aHR0cDovL2Jsb2cuZmZ3bGwuY2gKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRl c2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8v ZHJpLWRldmVsCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.3 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5C32C43387 for ; Thu, 20 Dec 2018 07:14:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 856D421773 for ; Thu, 20 Dec 2018 07:14:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=ffwll.ch header.i=@ffwll.ch header.b="dtj/iQxh" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730241AbeLTHOK (ORCPT ); Thu, 20 Dec 2018 02:14:10 -0500 Received: from mail-ed1-f66.google.com ([209.85.208.66]:40991 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727644AbeLTHOJ (ORCPT ); Thu, 20 Dec 2018 02:14:09 -0500 Received: by mail-ed1-f66.google.com with SMTP id g19so816869edy.8 for ; Wed, 19 Dec 2018 23:14:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=WbxJF9mqsYoKKUKwU+h+kSxEYT9ed4xvSgf/F/vUVD0=; b=dtj/iQxhvTO8ClmK43GPiUX3H+xlLGssJJwuzQbGSEOB4ajRK/9+kaPgdQrv022n9B r03zfhnZrIhU1bneZi6ikaFaglkXNNLhaTtKw+bj8/DJTS2EZbsCAIuZZQDa7KM+2Kkp YE4psXbjoDlh19X+2GWn2VdHBNni011A5rrZ8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=WbxJF9mqsYoKKUKwU+h+kSxEYT9ed4xvSgf/F/vUVD0=; b=NTkVbgGTkwHronQJBoS0aQwU9EYqFZwuKCKjCVnZ2E9KdFdoXa8cyJ9a/BsBrhShb7 e8np8ZbhjadSquvu77qo+wKnTbZdWwVqNkM8XS7lCzJO8KJzitzJW587c6okeLqz6ZgC U0tptkjzydi1otg2PWqI2tcBmlDQYmChtHWjX8g66PXtG8faEbDcT2vedP0VFO1S42ab VM7CVEIAs+yAnlroLyTRJTPlKgymVHVcdvfeNgKvR0w+KLAXF8WFjJP0c5EIV4rcCMt0 hXAD054IOuH3LcVTzAZuGggCZ8o55GNaZsabS0fz2GFp8z3/cjfUdT2lAWnL28W4Muqu 4aNQ== X-Gm-Message-State: AA+aEWaBTB0lSWptfTpf0JIEITmsdZMSH0fCqRF+SOeLrSjIgmOKttk7 7qHiN4X6P4zfTVMaaMX5cA+uXSp7vv8= X-Google-Smtp-Source: AFSGD/UP17M1RN4n4FY2Zf/9voG2+reI1w/+2mFMRTS6YMwa/siYhPuBSwyL8D+8dzv3NFuoVNWyDw== X-Received: by 2002:a50:b536:: with SMTP id y51mr22136940edd.201.1545290047921; Wed, 19 Dec 2018 23:14:07 -0800 (PST) Received: from phenom.ffwll.local ([2a02:168:569e:0:3106:d637:d723:e855]) by smtp.gmail.com with ESMTPSA id e53sm5957653ede.90.2018.12.19.23.14.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 19 Dec 2018 23:14:06 -0800 (PST) Date: Thu, 20 Dec 2018 08:14:05 +0100 From: Daniel Vetter To: "Gustavo A. R. Silva" Cc: Maarten Lankhorst , Maxime Ripard , Sean Paul , David Airlie , Daniel Vetter , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] drm/ioctl: Fix Spectre v1 vulnerabilities Message-ID: <20181220071404.GD21184@phenom.ffwll.local> Mail-Followup-To: "Gustavo A. R. Silva" , Maarten Lankhorst , Maxime Ripard , Sean Paul , David Airlie , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org References: <20181220000015.GA18973@embeddedor> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181220000015.GA18973@embeddedor> X-Operating-System: Linux phenom 4.18.0-2-amd64 User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Dec 19, 2018 at 06:00:15PM -0600, Gustavo A. R. Silva wrote: > nr is indirectly controlled by user-space, hence leading to a > potential exploitation of the Spectre variant 1 vulnerability. > > This issue was detected with the help of Smatch: > > drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r] > drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap) > drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap) > > Fix this by sanitizing nr before using it to index dev->driver->ioctls > and drm_ioctls. > > Notice that given that speculation windows are large, the policy is > to kill the speculation on the first load and not worry if it can be > completed with a dependent load/store [1]. > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > Cc: stable@vger.kernel.org > Signed-off-by: Gustavo A. R. Silva lgtm and I think there's no other obvious place where we need array_index_nospec in drm core. Applied to drm-misc-fixes. -Daniel > --- > drivers/gpu/drm/drm_ioctl.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c > index 94bd872d56c4..7e6746b2d704 100644 > --- a/drivers/gpu/drm/drm_ioctl.c > +++ b/drivers/gpu/drm/drm_ioctl.c > @@ -37,6 +37,7 @@ > > #include > #include > +#include > > /** > * DOC: getunique and setversion story > @@ -800,13 +801,17 @@ long drm_ioctl(struct file *filp, > > if (is_driver_ioctl) { > /* driver ioctl */ > - if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls) > + unsigned int index = nr - DRM_COMMAND_BASE; > + > + if (index >= dev->driver->num_ioctls) > goto err_i1; > - ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE]; > + index = array_index_nospec(index, dev->driver->num_ioctls); > + ioctl = &dev->driver->ioctls[index]; > } else { > /* core ioctl */ > if (nr >= DRM_CORE_IOCTL_COUNT) > goto err_i1; > + nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT); > ioctl = &drm_ioctls[nr]; > } > > @@ -888,6 +893,7 @@ bool drm_ioctl_flags(unsigned int nr, unsigned int *flags) > > if (nr >= DRM_CORE_IOCTL_COUNT) > return false; > + nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT); > > *flags = drm_ioctls[nr].flags; > return true; > -- > 2.20.1 > -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch