[PATCH v4] vmci: prevent speculation leaks by sanitizing event in event

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v4] vmci: prevent speculation leaks by sanitizing event in event_deliver()
@ 2024-04-30  8:59 Hagar Hemdan
  2024-05-06 23:55 ` Vishnu Dasa
  0 siblings, 1 reply; 2+ messages in thread
From: Hagar Hemdan @ 2024-04-30  8:59 UTC (permalink / raw)
  Cc: Maximilian Heyne, Norbert Manthey, Hagar Gamal Halim Hemdan,
	Bryan Tan, Vishnu Dasa, Broadcom internal kernel review list,
	Arnd Bergmann, Greg Kroah-Hartman, Dmitry Torokhov, George Zhang,
	Andy king, linux-kernel

From: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>

Coverity spotted that event_msg is controlled by user-space,
event_msg->event_data.event is passed to event_deliver() and used
as an index without sanitization.

This change ensures that the event index is sanitized to mitigate any
possibility of speculative information leaks.

This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.

Only compile tested, no access to HW.

Fixes: 1d990201f9bb ("VMCI: event handling implementation.")
Signed-off-by: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
---
v4: Added the testing state in the commit message and rebased on top of
latest mainline
---
 drivers/misc/vmw_vmci/vmci_event.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/vmw_vmci/vmci_event.c b/drivers/misc/vmw_vmci/vmci_event.c
index 5d7ac07623c2..9a41ab65378d 100644
--- a/drivers/misc/vmw_vmci/vmci_event.c
+++ b/drivers/misc/vmw_vmci/vmci_event.c
@@ -9,6 +9,7 @@
 #include <linux/vmw_vmci_api.h>
 #include <linux/list.h>
 #include <linux/module.h>
+#include <linux/nospec.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <linux/rculist.h>
@@ -86,9 +87,12 @@ static void event_deliver(struct vmci_event_msg *event_msg)
 {
 	struct vmci_subscription *cur;
 	struct list_head *subscriber_list;
+	u32 sanitized_event, max_vmci_event;
 
 	rcu_read_lock();
-	subscriber_list = &subscriber_array[event_msg->event_data.event];
+	max_vmci_event = ARRAY_SIZE(subscriber_array);
+	sanitized_event = array_index_nospec(event_msg->event_data.event, max_vmci_event);
+	subscriber_list = &subscriber_array[sanitized_event];
 	list_for_each_entry_rcu(cur, subscriber_list, node) {
 		cur->callback(cur->id, &event_msg->event_data,
 			      cur->callback_data);
-- 
2.40.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v4] vmci: prevent speculation leaks by sanitizing event in event_deliver()
  2024-04-30  8:59 [PATCH v4] vmci: prevent speculation leaks by sanitizing event in event_deliver() Hagar Hemdan
@ 2024-05-06 23:55 ` Vishnu Dasa
  0 siblings, 0 replies; 2+ messages in thread
From: Vishnu Dasa @ 2024-05-06 23:55 UTC (permalink / raw)
  To: Hagar Hemdan
  Cc: Maximilian Heyne, Norbert Manthey, Bryan Tan,
	Broadcom internal kernel review list, Arnd Bergmann,
	Greg Kroah-Hartman, Dmitry Torokhov, George Zhang, Andy king,
	linux-kernel

On Tue, Apr 30, 2024 at 2:02 AM Hagar Hemdan <hagarhem@amazon.com> wrote:
>
> From: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
>
> Coverity spotted that event_msg is controlled by user-space,
> event_msg->event_data.event is passed to event_deliver() and used
> as an index without sanitization.
>
> This change ensures that the event index is sanitized to mitigate any
> possibility of speculative information leaks.
>
> This bug was discovered and resolved using Coverity Static Analysis
> Security Testing (SAST) by Synopsys, Inc.
>
> Only compile tested, no access to HW.
>
> Fixes: 1d990201f9bb ("VMCI: event handling implementation.")
> Signed-off-by: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>

Acked-by: Vishnu Dasa <vishnu.dasa@broadcom.com>

> ---
> v4: Added the testing state in the commit message and rebased on top of
> latest mainline
> ---
>  drivers/misc/vmw_vmci/vmci_event.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/misc/vmw_vmci/vmci_event.c b/drivers/misc/vmw_vmci/vmci_event.c
> index 5d7ac07623c2..9a41ab65378d 100644
> --- a/drivers/misc/vmw_vmci/vmci_event.c
> +++ b/drivers/misc/vmw_vmci/vmci_event.c
> @@ -9,6 +9,7 @@
>  #include <linux/vmw_vmci_api.h>
>  #include <linux/list.h>
>  #include <linux/module.h>
> +#include <linux/nospec.h>
>  #include <linux/sched.h>
>  #include <linux/slab.h>
>  #include <linux/rculist.h>
> @@ -86,9 +87,12 @@ static void event_deliver(struct vmci_event_msg *event_msg)
>  {
>         struct vmci_subscription *cur;
>         struct list_head *subscriber_list;
> +       u32 sanitized_event, max_vmci_event;
>
>         rcu_read_lock();
> -       subscriber_list = &subscriber_array[event_msg->event_data.event];
> +       max_vmci_event = ARRAY_SIZE(subscriber_array);
> +       sanitized_event = array_index_nospec(event_msg->event_data.event, max_vmci_event);
> +       subscriber_list = &subscriber_array[sanitized_event];
>         list_for_each_entry_rcu(cur, subscriber_list, node) {
>                 cur->callback(cur->id, &event_msg->event_data,
>                               cur->callback_data);
> --
> 2.40.1
>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-05-06 23:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-30  8:59 [PATCH v4] vmci: prevent speculation leaks by sanitizing event in event_deliver() Hagar Hemdan
2024-05-06 23:55 ` Vishnu Dasa

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox