From: Kent Gibson <warthog618@gmail.com>
To: Hagar Hemdan <hagarhem@amazon.com>
Cc: Norbert Manthey <nmanthey@amazon.de>,
Linus Walleij <linus.walleij@linaro.org>,
Bartosz Golaszewski <brgl@bgdev.pl>,
linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] gpio: prevent potential speculation leaks in gpio_device_get_desc()
Date: Fri, 17 May 2024 17:39:22 +0800 [thread overview]
Message-ID: <20240517093922.GA337309@rigel> (raw)
In-Reply-To: <20240517090904.22812-1-hagarhem@amazon.com>
On Fri, May 17, 2024 at 09:09:04AM +0000, Hagar Hemdan wrote:
> Users can call the gpio_ioctl() interface to get information about gpio
> chip lines.
> Lines on the chip are identified by an offset in the range
> of [0,chip.lines).
> Offset is copied from user and then used as an array index to get
> the gpio descriptor without sanitization.
>
> This change ensures that the offset is sanitized by
> "using array_index_nospec" to mitigate any possibility of speculative
> information leaks.
>
This could better describe the problem. I'm still not 100% sure I
understand it, so it would be great if the comment could clarify it,
specifically what "speculation leaks" means.
And when referencing functions use (), so array_index_nospec(), rather
than quotes.
> This bug was discovered and resolved using Coverity Static Analysis
> Security Testing (SAST) by Synopsys, Inc.
>
> Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL")
This is not the correct commit(s) - the bug would've been present in the
character device uAPI since it was first added.
In fact two out of three places you patched in v1 pre-date this commit.
> Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
> ---
> v2: call array_index_nospec() after the bounds check.
> ---
> drivers/gpio/gpiolib.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
> index fa50db0c3605..b58e4fe78cec 100644
> --- a/drivers/gpio/gpiolib.c
> +++ b/drivers/gpio/gpiolib.c
> @@ -17,6 +17,7 @@
> #include <linux/list.h>
> #include <linux/lockdep.h>
> #include <linux/module.h>
> +#include <linux/nospec.h>
> #include <linux/of.h>
> #include <linux/pinctrl/consumer.h>
> #include <linux/seq_file.h>
> @@ -201,7 +202,7 @@ gpio_device_get_desc(struct gpio_device *gdev, unsigned int hwnum)
> if (hwnum >= gdev->ngpio)
> return ERR_PTR(-EINVAL);
>
> - return &gdev->descs[hwnum];
> + return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)];
> }
> EXPORT_SYMBOL_GPL(gpio_device_get_desc);
>
That makes more sense to me, so I no problem with the code change.
Cheers,
Kent.
prev parent reply other threads:[~2024-05-17 9:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-17 9:09 [PATCH v2] gpio: prevent potential speculation leaks in gpio_device_get_desc() Hagar Hemdan
2024-05-17 9:39 ` Kent Gibson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240517093922.GA337309@rigel \
--to=warthog618@gmail.com \
--cc=brgl@bgdev.pl \
--cc=hagarhem@amazon.com \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nmanthey@amazon.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.