From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sasha Levin Subject: [PATCH AUTOSEL 4.4 01/80] drm/bufs: Fix Spectre v1 vulnerability Date: Mon, 28 Jan 2019 11:22:42 -0500 Message-ID: <20190128162401.58841-1-sashal@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by gabe.freedesktop.org (Postfix) with ESMTPS id 8BB226E6D7 for ; Mon, 28 Jan 2019 16:24:03 +0000 (UTC) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sasha Levin , Daniel Vetter , dri-devel@lists.freedesktop.org, "Gustavo A. R. Silva" List-Id: dri-devel@lists.freedesktop.org RnJvbTogIkd1c3Rhdm8gQS4gUi4gU2lsdmEiIDxndXN0YXZvQGVtYmVkZGVkb3IuY29tPgoKWyBV cHN0cmVhbSBjb21taXQgYTM3ODA1MDk4OTAwYTZlNzNhNTViM2E0M2I3ZDNiY2Q5ODdiYjNmNCBd CgppZHggY2FuIGJlIGluZGlyZWN0bHkgY29udHJvbGxlZCBieSB1c2VyLXNwYWNlLCBoZW5jZSBs ZWFkaW5nIHRvIGEKcG90ZW50aWFsIGV4cGxvaXRhdGlvbiBvZiB0aGUgU3BlY3RyZSB2YXJpYW50 IDEgdnVsbmVyYWJpbGl0eS4KClRoaXMgaXNzdWUgd2FzIGRldGVjdGVkIHdpdGggdGhlIGhlbHAg b2YgU21hdGNoOgoKZHJpdmVycy9ncHUvZHJtL2RybV9idWZzLmM6MTQyMCBkcm1fbGVnYWN5X2Zy ZWVidWZzKCkgd2FybjogcG90ZW50aWFsCnNwZWN0cmUgaXNzdWUgJ2RtYS0+YnVmbGlzdCcgW3Jd IChsb2NhbCBjYXApCgpGaXggdGhpcyBieSBzYW5pdGl6aW5nIGlkeCBiZWZvcmUgdXNpbmcgaXQg dG8gaW5kZXggZG1hLT5idWZsaXN0CgpOb3RpY2UgdGhhdCBnaXZlbiB0aGF0IHNwZWN1bGF0aW9u IHdpbmRvd3MgYXJlIGxhcmdlLCB0aGUgcG9saWN5IGlzCnRvIGtpbGwgdGhlIHNwZWN1bGF0aW9u IG9uIHRoZSBmaXJzdCBsb2FkIGFuZCBub3Qgd29ycnkgaWYgaXQgY2FuIGJlCmNvbXBsZXRlZCB3 aXRoIGEgZGVwZW5kZW50IGxvYWQvc3RvcmUgWzFdLgoKWzFdIGh0dHBzOi8vbWFyYy5pbmZvLz9s PWxpbnV4LWtlcm5lbCZtPTE1MjQ0OTEzMTExNDc3OCZ3PTIKClNpZ25lZC1vZmYtYnk6IEd1c3Rh dm8gQS4gUi4gU2lsdmEgPGd1c3Rhdm9AZW1iZWRkZWRvci5jb20+ClNpZ25lZC1vZmYtYnk6IERh bmllbCBWZXR0ZXIgPGRhbmllbC52ZXR0ZXJAZmZ3bGwuY2g+Ckxpbms6IGh0dHBzOi8vcGF0Y2h3 b3JrLmZyZWVkZXNrdG9wLm9yZy9wYXRjaC9tc2dpZC8yMDE4MTAxNjA5NTU0OS5HQTIzNTg2QGVt YmVkZGVkb3IuY29tClNpZ25lZC1vZmYtYnk6IFNhc2hhIExldmluIDxzYXNoYWxAa2VybmVsLm9y Zz4KLS0tCiBkcml2ZXJzL2dwdS9kcm0vZHJtX2J1ZnMuYyB8IDMgKysrCiAxIGZpbGUgY2hhbmdl ZCwgMyBpbnNlcnRpb25zKCspCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ncHUvZHJtL2RybV9idWZz LmMgYi9kcml2ZXJzL2dwdS9kcm0vZHJtX2J1ZnMuYwppbmRleCBmMWEyMDRkMjUzY2MuLmFjMjJi OGQ4NjI0OSAxMDA2NDQKLS0tIGEvZHJpdmVycy9ncHUvZHJtL2RybV9idWZzLmMKKysrIGIvZHJp dmVycy9ncHUvZHJtL2RybV9idWZzLmMKQEAgLTM2LDYgKzM2LDggQEAKICNpbmNsdWRlIDxkcm0v ZHJtUC5oPgogI2luY2x1ZGUgImRybV9sZWdhY3kuaCIKIAorI2luY2x1ZGUgPGxpbnV4L25vc3Bl Yy5oPgorCiBzdGF0aWMgc3RydWN0IGRybV9tYXBfbGlzdCAqZHJtX2ZpbmRfbWF0Y2hpbmdfbWFw KHN0cnVjdCBkcm1fZGV2aWNlICpkZXYsCiAJCQkJCQkgIHN0cnVjdCBkcm1fbG9jYWxfbWFwICpt YXApCiB7CkBAIC0xMzMyLDYgKzEzMzQsNyBAQCBpbnQgZHJtX2xlZ2FjeV9mcmVlYnVmcyhzdHJ1 Y3QgZHJtX2RldmljZSAqZGV2LCB2b2lkICpkYXRhLAogCQkJCSAgaWR4LCBkbWEtPmJ1Zl9jb3Vu dCAtIDEpOwogCQkJcmV0dXJuIC1FSU5WQUw7CiAJCX0KKwkJaWR4ID0gYXJyYXlfaW5kZXhfbm9z cGVjKGlkeCwgZG1hLT5idWZfY291bnQpOwogCQlidWYgPSBkbWEtPmJ1Zmxpc3RbaWR4XTsKIAkJ aWYgKGJ1Zi0+ZmlsZV9wcml2ICE9IGZpbGVfcHJpdikgewogCQkJRFJNX0VSUk9SKCJQcm9jZXNz ICVkIGZyZWVpbmcgYnVmZmVyIG5vdCBvd25lZFxuIiwKLS0gCjIuMTkuMQoKX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlz dApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0 b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B99FAC282CD for ; Mon, 28 Jan 2019 16:41:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 862B82082C for ; Mon, 28 Jan 2019 16:41:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548693670; bh=TrU+LYKr5NU+rGoJAdo0QQ3ER6EW5dpEs9pgHmJgLxo=; h=From:To:Cc:Subject:Date:List-ID:From; b=vPXY4P+kn3DFODzFBMK5fIqWlRjN4XNIusvzEgGqlCYtDPMZhCqhh/bImF2CH6IbG SVQ32BUlzWc5ql35zlE2aTdmnGxZOiyj+nrwF2c9IyEpasnmFgX+lbl2aEZYZaVQqu +wKJBK8R6HzW7wtwDYlXAhG3i3+O+xS37ftP9jCI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389606AbfA1QYG (ORCPT ); Mon, 28 Jan 2019 11:24:06 -0500 Received: from mail.kernel.org ([198.145.29.99]:60548 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730680AbfA1QYE (ORCPT ); Mon, 28 Jan 2019 11:24:04 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9A7D120879; Mon, 28 Jan 2019 16:24:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548692643; bh=TrU+LYKr5NU+rGoJAdo0QQ3ER6EW5dpEs9pgHmJgLxo=; h=From:To:Cc:Subject:Date:From; b=zXAlIhUJkCBoX2l9GNLtm0UEsDoJ4TSgL/NoJbglA64rUrEJ7um4rFaXa0A6JMM2U +ccQVZilX8xlNNssmH4JrbjPjEdqwQtG3YSqY1ozauqQ9sHdaThBdnrd5RZQ/MNk4/ zlkjK5mzOCC+hooaJrBi5No8ukjWRsPEgbB7lClg= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: "Gustavo A. R. Silva" , Daniel Vetter , Sasha Levin , dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 4.4 01/80] drm/bufs: Fix Spectre v1 vulnerability Date: Mon, 28 Jan 2019 11:22:42 -0500 Message-Id: <20190128162401.58841-1-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Gustavo A. R. Silva" [ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ] idx can be indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential spectre issue 'dma->buflist' [r] (local cap) Fix this by sanitizing idx before using it to index dma->buflist Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Signed-off-by: Gustavo A. R. Silva Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com Signed-off-by: Sasha Levin --- drivers/gpu/drm/drm_bufs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c index f1a204d253cc..ac22b8d86249 100644 --- a/drivers/gpu/drm/drm_bufs.c +++ b/drivers/gpu/drm/drm_bufs.c @@ -36,6 +36,8 @@ #include #include "drm_legacy.h" +#include + static struct drm_map_list *drm_find_matching_map(struct drm_device *dev, struct drm_local_map *map) { @@ -1332,6 +1334,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data, idx, dma->buf_count - 1); return -EINVAL; } + idx = array_index_nospec(idx, dma->buf_count); buf = dma->buflist[idx]; if (buf->file_priv != file_priv) { DRM_ERROR("Process %d freeing buffer not owned\n", -- 2.19.1