* Re: [PATCH 1/1] cdrom: Fix spectre-v1 gadget
[not found] ` <20230609131355.71130-2-jordyzomer@google.com>
@ 2023-06-10 19:10 ` Phillip Potter
2023-06-12 9:35 ` Jordy Zomer
0 siblings, 1 reply; 3+ messages in thread
From: Phillip Potter @ 2023-06-10 19:10 UTC (permalink / raw)
To: Jordy Zomer; +Cc: linux-kernel, jordyzomer, pawan.kumar.gupta, linux-block
On Fri, Jun 09, 2023 at 01:13:55PM +0000, Jordy Zomer wrote:
> This patch fixes a spectre-v1 gadget in cdrom.
> The gadget could be triggered by,
> speculatviely bypassing the cdi->capacity check.
>
> Signed-off-by: Jordy Zomer <jordyzomer@google.com>
> ---
> drivers/cdrom/cdrom.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> index 416f723a2dbb..3c349bc0a269 100644
> --- a/drivers/cdrom/cdrom.c
> +++ b/drivers/cdrom/cdrom.c
> @@ -233,6 +233,7 @@
>
> -------------------------------------------------------------------------*/
>
> +#include "asm/barrier.h"
> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>
> #define REVISION "Revision: 3.20"
> @@ -2329,6 +2330,8 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
> if (arg >= cdi->capacity)
> return -EINVAL;
>
> + arg = array_index_mask_nospec(arg, cdi->capacity);
> +
> info = kmalloc(sizeof(*info), GFP_KERNEL);
> if (!info)
> return -ENOMEM;
> --
> 2.41.0.162.gfafddb0af9-goog
>
Hi Jordy,
Thanks for the patch, much appreciated. Sadly, as Pawan has already
pointed out, array_index_mask_nospec actually changes the behaviour of
this function, such that 'arg' would no longer be an array index.
In addition, it seems to have triggered the kernel test robot with an
alpha build error.
Regards,
Phil
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] cdrom: Fix spectre-v1 gadget
2023-06-10 19:10 ` [PATCH 1/1] cdrom: Fix spectre-v1 gadget Phillip Potter
@ 2023-06-12 9:35 ` Jordy Zomer
0 siblings, 0 replies; 3+ messages in thread
From: Jordy Zomer @ 2023-06-12 9:35 UTC (permalink / raw)
To: Phillip Potter; +Cc: linux-kernel, pawan.kumar.gupta, linux-block
Thanks both! I assumed array_index_mask_nospec was the same as
array_index_nospec. I'll send a V2 your way soon :)
On Sat, Jun 10, 2023 at 9:10 PM Phillip Potter <phil@philpotter.co.uk> wrote:
>
> On Fri, Jun 09, 2023 at 01:13:55PM +0000, Jordy Zomer wrote:
> > This patch fixes a spectre-v1 gadget in cdrom.
> > The gadget could be triggered by,
> > speculatviely bypassing the cdi->capacity check.
> >
> > Signed-off-by: Jordy Zomer <jordyzomer@google.com>
> > ---
> > drivers/cdrom/cdrom.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> > index 416f723a2dbb..3c349bc0a269 100644
> > --- a/drivers/cdrom/cdrom.c
> > +++ b/drivers/cdrom/cdrom.c
> > @@ -233,6 +233,7 @@
> >
> > -------------------------------------------------------------------------*/
> >
> > +#include "asm/barrier.h"
> > #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> >
> > #define REVISION "Revision: 3.20"
> > @@ -2329,6 +2330,8 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
> > if (arg >= cdi->capacity)
> > return -EINVAL;
> >
> > + arg = array_index_mask_nospec(arg, cdi->capacity);
> > +
> > info = kmalloc(sizeof(*info), GFP_KERNEL);
> > if (!info)
> > return -ENOMEM;
> > --
> > 2.41.0.162.gfafddb0af9-goog
> >
>
> Hi Jordy,
>
> Thanks for the patch, much appreciated. Sadly, as Pawan has already
> pointed out, array_index_mask_nospec actually changes the behaviour of
> this function, such that 'arg' would no longer be an array index.
>
> In addition, it seems to have triggered the kernel test robot with an
> alpha build error.
>
> Regards,
> Phil
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/1] cdrom: Fix spectre-v1 gadget
2023-06-17 11:38 [PATCH 0/1] cdrom: spectre-v1 patch for 6.5 Phillip Potter
@ 2023-06-17 11:38 ` Phillip Potter
0 siblings, 0 replies; 3+ messages in thread
From: Phillip Potter @ 2023-06-17 11:38 UTC (permalink / raw)
To: axboe; +Cc: linux-block
From: Jordy Zomer <jordyzomer@google.com>
This patch fixes a spectre-v1 gadget in cdrom.
The gadget could be triggered by speculatively
bypassing the cdi->capacity check.
Signed-off-by: Jordy Zomer <jordyzomer@google.com>
Link: https://lore.kernel.org/all/20230612110040.849318-2-jordyzomer@google.com
Reviewed-by: Phillip Potter <phil@philpotter.co.uk>
Link: https://lore.kernel.org/all/ZI1+1OG9Ut1MqsUC@equinox
Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
---
drivers/cdrom/cdrom.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 416f723a2dbb..ecf2b458c108 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -264,6 +264,7 @@
#include <linux/errno.h>
#include <linux/kernel.h>
#include <linux/mm.h>
+#include <linux/nospec.h>
#include <linux/slab.h>
#include <linux/cdrom.h>
#include <linux/sysctl.h>
@@ -2329,6 +2330,9 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
if (arg >= cdi->capacity)
return -EINVAL;
+ /* Prevent arg from speculatively bypassing the length check */
+ barrier_nospec();
+
info = kmalloc(sizeof(*info), GFP_KERNEL);
if (!info)
return -ENOMEM;
--
2.40.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-06-17 11:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20230609131355.71130-1-jordyzomer@google.com>
[not found] ` <20230609131355.71130-2-jordyzomer@google.com>
2023-06-10 19:10 ` [PATCH 1/1] cdrom: Fix spectre-v1 gadget Phillip Potter
2023-06-12 9:35 ` Jordy Zomer
2023-06-17 11:38 [PATCH 0/1] cdrom: spectre-v1 patch for 6.5 Phillip Potter
2023-06-17 11:38 ` [PATCH 1/1] cdrom: Fix spectre-v1 gadget Phillip Potter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox