From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To: Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>
Cc: alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>
Subject: [PATCH] ALSA: isa/wavefront: Fix potential Spectre v1 vulnerabilities
Date: Tue, 26 Mar 2019 13:32:02 -0500 [thread overview]
Message-ID: <20190326183202.GA17285@embeddedor> (raw)
header->number and i are indirectly controlled by user-space, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
sound/isa/wavefront/wavefront_synth.c:792 wavefront_send_patch() warn: potential spectre issue 'dev->patch_status' [w] (local cap)
sound/isa/wavefront/wavefront_synth.c:819 wavefront_send_program() warn: potential spectre issue 'dev->prog_status' [w] (local cap)
sound/isa/wavefront/wavefront_synth.c:1197 wavefront_send_alias() warn: potential spectre issue 'dev->sample_status' [w]
sound/isa/wavefront/wavefront_synth.c:1248 wavefront_send_multisample() warn: potential spectre issue 'dev->sample_status' [w]
sound/isa/wavefront/wavefront_synth.c:1548 wavefront_synth_control() warn: potential spectre issue 'dev->sample_status' [r] (local cap)
Fix this by sanitizing header->number and i before using them to index
dev->patch_status, dev->prog_status, dev->sample_status.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
sound/isa/wavefront/wavefront_synth.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
index 0b1e4b34b299..a78e125dfdf9 100644
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -31,6 +31,7 @@
#include <linux/moduleparam.h>
#include <linux/slab.h>
#include <linux/module.h>
+#include <linux/nospec.h>
#include <sound/core.h>
#include <sound/snd_wavefront.h>
#include <sound/initval.h>
@@ -788,6 +789,8 @@ wavefront_send_patch (snd_wavefront_t *dev, wavefront_patch_info *header)
if (header->number >= ARRAY_SIZE(dev->patch_status))
return -EINVAL;
+ header->number = array_index_nospec(header->number,
+ ARRAY_SIZE(dev->patch_status));
dev->patch_status[header->number] |= WF_SLOT_FILLED;
@@ -815,6 +818,8 @@ wavefront_send_program (snd_wavefront_t *dev, wavefront_patch_info *header)
if (header->number >= ARRAY_SIZE(dev->prog_status))
return -EINVAL;
+ header->number = array_index_nospec(header->number,
+ ARRAY_SIZE(dev->prog_status));
dev->prog_status[header->number] = WF_SLOT_USED;
@@ -1194,6 +1199,11 @@ wavefront_send_alias (snd_wavefront_t *dev, wavefront_patch_info *header)
return -EIO;
}
+ if (header->number >= ARRAY_SIZE(dev->sample_status))
+ return -EINVAL;
+ header->number = array_index_nospec(header->number,
+ ARRAY_SIZE(dev->sample_status));
+
dev->sample_status[header->number] = (WF_SLOT_FILLED|WF_ST_ALIAS);
return (0);
@@ -1245,6 +1255,12 @@ wavefront_send_multisample (snd_wavefront_t *dev, wavefront_patch_info *header)
return -EIO;
}
+ if (header->number >= ARRAY_SIZE(dev->sample_status)) {
+ kfree(msample_hdr);
+ return -EINVAL;
+ }
+ header->number = array_index_nospec(header->number,
+ ARRAY_SIZE(dev->sample_status));
dev->sample_status[header->number] = (WF_SLOT_FILLED|WF_ST_MULTISAMPLE);
kfree(msample_hdr);
@@ -1545,6 +1561,7 @@ wavefront_synth_control (snd_wavefront_card_t *acard,
wc->status = EINVAL;
return -EINVAL;
}
+ i = array_index_nospec(i, WF_MAX_SAMPLE);
wc->rbuf[0] = dev->sample_status[i];
wc->status = 0;
return 0;
--
2.21.0
next reply other threads:[~2019-03-26 18:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-26 18:32 Gustavo A. R. Silva [this message]
2019-04-15 19:35 ` [PATCH] ALSA: isa/wavefront: Fix potential Spectre v1 vulnerabilities Gustavo A. R. Silva
2019-04-15 22:34 ` Takashi Iwai
2019-04-15 22:40 ` Gustavo A. R. Silva
-- strict thread matches above, loose matches on Subject: below --
2018-12-19 23:31 Gustavo A. R. Silva
2018-12-20 8:11 ` Takashi Iwai
2018-12-20 17:13 ` Gustavo A. R. Silva
2018-12-20 17:35 ` Takashi Iwai
2018-12-20 17:51 ` Gustavo A. R. Silva
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190326183202.GA17285@embeddedor \
--to=gustavo@embeddedor.com \
--cc=alsa-devel@alsa-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox