From: Breno Leitao <leitao@debian.org>
To: nathanl@linux.ibm.com
Cc: "Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org,
Nicholas Piggin <npiggin@gmail.com>
Subject: Re: [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
Date: Fri, 31 May 2024 06:45:13 -0700 [thread overview]
Message-ID: <ZlnUaZiXM3Fuy+0g@gmail.com> (raw)
In-Reply-To: <20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm.com>
On Thu, May 30, 2024 at 07:44:12PM -0500, Nathan Lynch via B4 Relay wrote:
> From: Nathan Lynch <nathanl@linux.ibm.com>
>
> Smatch warns:
>
> arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
> spectre issue 'args.args' [r] (local cap)
>
> The 'nargs' and 'nret' locals come directly from a user-supplied
> buffer and are used as indexes into a small stack-based array and as
> inputs to copy_to_user() after they are subject to bounds checks.
>
> Use array_index_nospec() after the bounds checks to clamp these values
> for speculative execution.
>
> Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
> Reported-by: Breno Leitao <leitao@debian.org>
Thanks for working on it.
Reviewed-by: Breno Leitao <leitao@debian.org>
> + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args));
> + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs);
On an unrelated note, can nargs and nret are integers and could be
eventually negative. Is this a valid use case?
Thanks!
next prev parent reply other threads:[~2024-05-31 13:45 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-31 0:44 [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Nathan Lynch
2024-05-31 0:44 ` Nathan Lynch via B4 Relay
2024-05-31 13:45 ` Breno Leitao [this message]
2024-05-31 16:45 ` Nathan Lynch
2024-05-31 17:20 ` Breno Leitao
2024-07-06 23:10 ` Michael Ellerman
-- strict thread matches above, loose matches on Subject: below --
2024-12-13 3:44 haixiao.yan.cn
2024-12-13 11:14 ` Greg KH
2024-12-13 11:15 ` Greg KH
2024-12-13 15:13 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZlnUaZiXM3Fuy+0g@gmail.com \
--to=leitao@debian.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nathanl@linux.ibm.com \
--cc=naveen.n.rao@linux.ibm.com \
--cc=npiggin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.