From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>
Subject: [PATCH 5.0 34/46] applicom: Fix potential Spectre v1 vulnerabilities
Date: Fri, 8 Mar 2019 13:50:07 +0100 [thread overview]
Message-ID: <20190308124904.465092673@linuxfoundation.org> (raw)
In-Reply-To: <20190308124902.257040783@linuxfoundation.org>
5.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavo@embeddedor.com>
commit d7ac3c6ef5d8ce14b6381d52eb7adafdd6c8bb3c upstream.
IndexCard is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/char/applicom.c:418 ac_write() warn: potential spectre issue 'apbs' [r]
drivers/char/applicom.c:728 ac_ioctl() warn: potential spectre issue 'apbs' [r] (local cap)
Fix this by sanitizing IndexCard before using it to index apbs.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/applicom.c | 35 ++++++++++++++++++++++++-----------
1 file changed, 24 insertions(+), 11 deletions(-)
--- a/drivers/char/applicom.c
+++ b/drivers/char/applicom.c
@@ -32,6 +32,7 @@
#include <linux/wait.h>
#include <linux/init.h>
#include <linux/fs.h>
+#include <linux/nospec.h>
#include <asm/io.h>
#include <linux/uaccess.h>
@@ -386,7 +387,11 @@ static ssize_t ac_write(struct file *fil
TicCard = st_loc.tic_des_from_pc; /* tic number to send */
IndexCard = NumCard - 1;
- if((NumCard < 1) || (NumCard > MAX_BOARD) || !apbs[IndexCard].RamIO)
+ if (IndexCard >= MAX_BOARD)
+ return -EINVAL;
+ IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
+
+ if (!apbs[IndexCard].RamIO)
return -EINVAL;
#ifdef DEBUG
@@ -697,6 +702,7 @@ static long ac_ioctl(struct file *file,
unsigned char IndexCard;
void __iomem *pmem;
int ret = 0;
+ static int warncount = 10;
volatile unsigned char byte_reset_it;
struct st_ram_io *adgl;
void __user *argp = (void __user *)arg;
@@ -711,16 +717,12 @@ static long ac_ioctl(struct file *file,
mutex_lock(&ac_mutex);
IndexCard = adgl->num_card-1;
- if(cmd != 6 && ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) {
- static int warncount = 10;
- if (warncount) {
- printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number %d\n",(int)IndexCard+1);
- warncount--;
- }
- kfree(adgl);
- mutex_unlock(&ac_mutex);
- return -EINVAL;
- }
+ if (cmd != 6 && IndexCard >= MAX_BOARD)
+ goto err;
+ IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
+
+ if (cmd != 6 && !apbs[IndexCard].RamIO)
+ goto err;
switch (cmd) {
@@ -838,5 +840,16 @@ static long ac_ioctl(struct file *file,
kfree(adgl);
mutex_unlock(&ac_mutex);
return 0;
+
+err:
+ if (warncount) {
+ pr_warn("APPLICOM driver IOCTL, bad board number %d\n",
+ (int)IndexCard + 1);
+ warncount--;
+ }
+ kfree(adgl);
+ mutex_unlock(&ac_mutex);
+ return -EINVAL;
+
}
next prev parent reply other threads:[~2019-03-08 13:08 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-08 12:49 [PATCH 5.0 00/46] 5.0.1-stable review Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 01/46] cpufreq: Use struct kobj_attribute instead of struct global_attr Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 02/46] staging: erofs: fix mis-acted TAIL merging behavior Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 03/46] binder: create node flag to request senders security context Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 04/46] USB: serial: option: add Telit ME910 ECM composition Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 05/46] USB: serial: cp210x: add ID for Ingenico 3070 Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 06/46] USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 07/46] driver core: Postpone DMA tear-down until after devres release Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 08/46] staging: erofs: fix fast symlink w/o xattr when fs xattr is on Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 09/46] staging: erofs: fix memleak of inodes shared xattr array Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 10/46] staging: erofs: fix race of initializing xattrs of a inode at the same time Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 11/46] staging: erofs: fix illegal address access under memory pressure Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 12/46] staging: comedi: ni_660x: fix missing break in switch statement Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 13/46] staging: wilc1000: fix to set correct value for vif_num Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 14/46] staging: android: ion: fix sys heap pools gfp_flags Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 15/46] staging: android: ashmem: Dont call fallocate() with ashmem_mutex held Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 16/46] staging: android: ashmem: Avoid range_alloc() allocation " Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 17/46] ip6mr: Do not call __IP6_INC_STATS() from preemptible context Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 18/46] net: dsa: mv88e6xxx: add call to mv88e6xxx_ports_cmode_init to probe for new DSA framework Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 19/46] net: dsa: mv88e6xxx: handle unknown duplex modes gracefully in mv88e6xxx_port_set_duplex Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 20/46] net: dsa: mv8e6xxx: fix number of internal PHYs for 88E6x90 family Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 21/46] net: mscc: Enable all ports in QSGMII Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 22/46] net: sched: put back q.qlen into a single location Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 23/46] net-sysfs: Fix mem leak in netdev_register_kobject Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 24/46] qmi_wwan: Add support for Quectel EG12/EM12 Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 25/46] sctp: call iov_iter_revert() after sending ABORT Greg Kroah-Hartman
2019-03-08 12:49 ` [PATCH 5.0 26/46] sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 27/46] team: Free BPF filter when unregistering netdev Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 28/46] tipc: fix RDM/DGRAM connect() regression Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 29/46] x86/CPU/AMD: Set the CPB bit unconditionally on F17h Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 30/46] x86/boot/compressed/64: Do not read legacy ROM on EFI system Greg Kroah-Hartman
2019-03-10 6:10 ` hpa
2019-03-10 6:18 ` Greg Kroah-Hartman
2019-03-11 1:44 ` hpa
2019-03-12 9:50 ` Kirill A. Shutemov
2019-03-08 12:50 ` [PATCH 5.0 31/46] tracing: Fix event filters and triggers to handle negative numbers Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 32/46] xhci: tegra: Prevent error pointer dereference Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 33/46] usb: xhci: Fix for Enabling USB ROLE SWITCH QUIRK on INTEL_SUNRISEPOINT_LP_XHCI Greg Kroah-Hartman
2019-03-08 12:50 ` Greg Kroah-Hartman [this message]
2019-03-08 12:50 ` [PATCH 5.0 35/46] alpha: wire up io_pgetevents system call Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 36/46] MIPS: irq: Allocate accurate order pages for irq stack Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 37/46] aio: Fix locking in aio_poll() Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 38/46] xtensa: fix get_wchan Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 39/46] gnss: sirf: fix premature wakeup interrupt enable Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 40/46] USB: serial: cp210x: fix GPIO in autosuspend Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 41/46] Revert "selftests: firmware: add CONFIG_FW_LOADER_USER_HELPER_FALLBACK to config" Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 42/46] Revert "selftests: firmware: remove use of non-standard diff -Z option" Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 43/46] selftests: firmware: fix verify_reqs() return value Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 44/46] Bluetooth: btrtl: Restore old logic to assume firmware is already loaded Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 45/46] Bluetooth: Fix locking in bt_accept_enqueue() for BH context Greg Kroah-Hartman
2019-03-08 12:50 ` [PATCH 5.0 46/46] exec: Fix mem leak in kernel_read_file Greg Kroah-Hartman
2019-03-08 16:06 ` [PATCH 5.0 00/46] 5.0.1-stable review Jon Hunter
2019-03-08 16:35 ` Greg Kroah-Hartman
2019-03-08 20:58 ` shuah
2019-03-09 6:53 ` Greg Kroah-Hartman
2019-03-09 7:10 ` Naresh Kamboju
2019-03-09 7:23 ` Greg Kroah-Hartman
2019-03-09 22:36 ` Guenter Roeck
2019-03-10 6:05 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190308124904.465092673@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox