From: Lukas Gerlach <lukas.gerlach@cispa.de>
To: <linux-riscv@lists.infradead.org>
Cc: <palmer@dabbelt.com>, <pjw@kernel.org>, <aou@eecs.berkeley.edu>,
<alex@ghiti.fr>, <linux-kernel@vger.kernel.org>,
<daniel.weber@cispa.de>, <michael.schwarz@cispa.de>,
<marton.bognar@kuleuven.be>, <jo.vanbulck@kuleuven.be>,
Lukas Gerlach <lukas.gerlach@cispa.de>
Subject: [PATCH 2/2] riscv: Sanitize syscall table indexing under speculation
Date: Thu, 18 Dec 2025 20:13:32 +0100 [thread overview]
Message-ID: <20251218191332.35849-3-lukas.gerlach@cispa.de> (raw)
In-Reply-To: <20251218191332.35849-1-lukas.gerlach@cispa.de>
The syscall number is a user-controlled value used to index into the
syscall table. Use array_index_nospec() to clamp this value after the
bounds check to prevent speculative out-of-bounds access and subsequent
data leakage via cache side channels.
Signed-off-by: Lukas Gerlach <lukas.gerlach@cispa.de>
---
arch/riscv/kernel/traps.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
index 80230de167de..47afea4ff1a8 100644
--- a/arch/riscv/kernel/traps.c
+++ b/arch/riscv/kernel/traps.c
@@ -339,8 +339,10 @@ void do_trap_ecall_u(struct pt_regs *regs)
add_random_kstack_offset();
- if (syscall >= 0 && syscall < NR_syscalls)
+ if (syscall >= 0 && syscall < NR_syscalls) {
+ syscall = array_index_nospec(syscall, NR_syscalls);
syscall_handler(regs, syscall);
+ }
/*
* Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),
--
2.51.0
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2025-12-18 19:14 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-18 19:13 [PATCH 0/2] riscv: Add Spectre v1 mitigations Lukas Gerlach
2025-12-18 19:13 ` [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation Lukas Gerlach
2025-12-20 0:44 ` Deepak Gupta
2025-12-27 12:57 ` Lukas Gerlach
2025-12-28 0:41 ` Deepak Gupta
2025-12-27 21:28 ` David Laight
2025-12-28 1:59 ` Deepak Gupta
2025-12-28 22:34 ` David Laight
2025-12-29 12:32 ` David Laight
2025-12-31 3:47 ` Vivian Wang
2025-12-31 10:35 ` David Laight
2025-12-18 19:13 ` Lukas Gerlach [this message]
2025-12-31 3:01 ` [PATCH 2/2] riscv: Sanitize syscall table indexing under speculation Paul Walmsley
2025-12-31 3:31 ` [PATCH 0/2] riscv: Add Spectre v1 mitigations patchwork-bot+linux-riscv
2026-01-05 23:17 ` Paul Walmsley
2026-01-06 10:30 ` [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation Lukas Gerlach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251218191332.35849-3-lukas.gerlach@cispa.de \
--to=lukas.gerlach@cispa.de \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=daniel.weber@cispa.de \
--cc=jo.vanbulck@kuleuven.be \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=marton.bognar@kuleuven.be \
--cc=michael.schwarz@cispa.de \
--cc=palmer@dabbelt.com \
--cc=pjw@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox