* [PATCH 0/1] cdrom: Fix spectre-v1 gadget
@ 2023-06-09 13:13 Jordy Zomer
2023-06-09 13:13 ` [PATCH 1/1] " Jordy Zomer
0 siblings, 1 reply; 6+ messages in thread
From: Jordy Zomer @ 2023-06-09 13:13 UTC (permalink / raw)
To: linux-kernel; +Cc: phil, Jordy Zomer
This patch fixes a spectre-v1 gadget in cdrom.
The gadget could be triggered by,
speculatviely bypassing the cdi->capacity check.
Jordy Zomer (1):
cdrom: Fix spectre-v1 gadget
drivers/cdrom/cdrom.c | 3 +++
1 file changed, 3 insertions(+)
--
2.41.0.162.gfafddb0af9-goog
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] cdrom: Fix spectre-v1 gadget
2023-06-09 13:13 [PATCH 0/1] cdrom: Fix spectre-v1 gadget Jordy Zomer
@ 2023-06-09 13:13 ` Jordy Zomer
2023-06-09 17:19 ` kernel test robot
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Jordy Zomer @ 2023-06-09 13:13 UTC (permalink / raw)
To: linux-kernel; +Cc: phil, Jordy Zomer
This patch fixes a spectre-v1 gadget in cdrom.
The gadget could be triggered by,
speculatviely bypassing the cdi->capacity check.
Signed-off-by: Jordy Zomer <jordyzomer@google.com>
---
drivers/cdrom/cdrom.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index 416f723a2dbb..3c349bc0a269 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -233,6 +233,7 @@
-------------------------------------------------------------------------*/
+#include "asm/barrier.h"
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#define REVISION "Revision: 3.20"
@@ -2329,6 +2330,8 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
if (arg >= cdi->capacity)
return -EINVAL;
+ arg = array_index_mask_nospec(arg, cdi->capacity);
+
info = kmalloc(sizeof(*info), GFP_KERNEL);
if (!info)
return -ENOMEM;
--
2.41.0.162.gfafddb0af9-goog
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] cdrom: Fix spectre-v1 gadget
2023-06-09 13:13 ` [PATCH 1/1] " Jordy Zomer
@ 2023-06-09 17:19 ` kernel test robot
2023-06-09 23:46 ` Pawan Gupta
2023-06-10 19:10 ` Phillip Potter
2 siblings, 0 replies; 6+ messages in thread
From: kernel test robot @ 2023-06-09 17:19 UTC (permalink / raw)
To: Jordy Zomer, linux-kernel; +Cc: oe-kbuild-all, phil, Jordy Zomer
Hi Jordy,
kernel test robot noticed the following build errors:
[auto build test ERROR on linus/master]
[also build test ERROR on v6.4-rc5 next-20230609]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Jordy-Zomer/cdrom-Fix-spectre-v1-gadget/20230609-211545
base: linus/master
patch link: https://lore.kernel.org/r/20230609131355.71130-2-jordyzomer%40google.com
patch subject: [PATCH 1/1] cdrom: Fix spectre-v1 gadget
config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20230610/202306100143.yzdJpUid-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 12.3.0
reproduce (this is a W=1 build):
mkdir -p ~/bin
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout linus/master
b4 shazam https://lore.kernel.org/r/20230609131355.71130-2-jordyzomer@google.com
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.3.0 ~/bin/make.cross W=1 O=build_dir ARCH=alpha olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.3.0 ~/bin/make.cross W=1 O=build_dir ARCH=alpha SHELL=/bin/bash drivers/
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202306100143.yzdJpUid-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/cdrom/cdrom.c: In function 'cdrom_ioctl_media_changed':
>> drivers/cdrom/cdrom.c:2333:15: error: implicit declaration of function 'array_index_mask_nospec' [-Werror=implicit-function-declaration]
2333 | arg = array_index_mask_nospec(arg, cdi->capacity);
| ^~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/array_index_mask_nospec +2333 drivers/cdrom/cdrom.c
2314
2315 static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
2316 unsigned long arg)
2317 {
2318 struct cdrom_changer_info *info;
2319 int ret;
2320
2321 cd_dbg(CD_DO_IOCTL, "entering CDROM_MEDIA_CHANGED\n");
2322
2323 if (!CDROM_CAN(CDC_MEDIA_CHANGED))
2324 return -ENOSYS;
2325
2326 /* cannot select disc or select current disc */
2327 if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
2328 return media_changed(cdi, 1);
2329
2330 if (arg >= cdi->capacity)
2331 return -EINVAL;
2332
> 2333 arg = array_index_mask_nospec(arg, cdi->capacity);
2334
2335 info = kmalloc(sizeof(*info), GFP_KERNEL);
2336 if (!info)
2337 return -ENOMEM;
2338
2339 ret = cdrom_read_mech_status(cdi, info);
2340 if (!ret)
2341 ret = info->slots[arg].change;
2342 kfree(info);
2343 return ret;
2344 }
2345
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] cdrom: Fix spectre-v1 gadget
2023-06-09 13:13 ` [PATCH 1/1] " Jordy Zomer
2023-06-09 17:19 ` kernel test robot
@ 2023-06-09 23:46 ` Pawan Gupta
2023-06-10 19:10 ` Phillip Potter
2 siblings, 0 replies; 6+ messages in thread
From: Pawan Gupta @ 2023-06-09 23:46 UTC (permalink / raw)
To: Jordy Zomer; +Cc: linux-kernel, phil
On Fri, Jun 09, 2023 at 01:13:55PM +0000, Jordy Zomer wrote:
> This patch fixes a spectre-v1 gadget in cdrom.
> The gadget could be triggered by,
> speculatviely bypassing the cdi->capacity check.
>
> Signed-off-by: Jordy Zomer <jordyzomer@google.com>
> ---
> drivers/cdrom/cdrom.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> index 416f723a2dbb..3c349bc0a269 100644
> --- a/drivers/cdrom/cdrom.c
> +++ b/drivers/cdrom/cdrom.c
> @@ -233,6 +233,7 @@
>
> -------------------------------------------------------------------------*/
>
> +#include "asm/barrier.h"
> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>
> #define REVISION "Revision: 3.20"
> @@ -2329,6 +2330,8 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
> if (arg >= cdi->capacity)
> return -EINVAL;
>
> + arg = array_index_mask_nospec(arg, cdi->capacity);
array_index_nospec() is the correct function to use. The above generates
a mask and not the original value. Also it is effective when the second
argument is a build time constant. If thats not possible and this
function is not called very often barrier_nospec() is also an option.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] cdrom: Fix spectre-v1 gadget
2023-06-09 13:13 ` [PATCH 1/1] " Jordy Zomer
2023-06-09 17:19 ` kernel test robot
2023-06-09 23:46 ` Pawan Gupta
@ 2023-06-10 19:10 ` Phillip Potter
2023-06-12 9:35 ` Jordy Zomer
2 siblings, 1 reply; 6+ messages in thread
From: Phillip Potter @ 2023-06-10 19:10 UTC (permalink / raw)
To: Jordy Zomer; +Cc: linux-kernel, jordyzomer, pawan.kumar.gupta, linux-block
On Fri, Jun 09, 2023 at 01:13:55PM +0000, Jordy Zomer wrote:
> This patch fixes a spectre-v1 gadget in cdrom.
> The gadget could be triggered by,
> speculatviely bypassing the cdi->capacity check.
>
> Signed-off-by: Jordy Zomer <jordyzomer@google.com>
> ---
> drivers/cdrom/cdrom.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> index 416f723a2dbb..3c349bc0a269 100644
> --- a/drivers/cdrom/cdrom.c
> +++ b/drivers/cdrom/cdrom.c
> @@ -233,6 +233,7 @@
>
> -------------------------------------------------------------------------*/
>
> +#include "asm/barrier.h"
> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>
> #define REVISION "Revision: 3.20"
> @@ -2329,6 +2330,8 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
> if (arg >= cdi->capacity)
> return -EINVAL;
>
> + arg = array_index_mask_nospec(arg, cdi->capacity);
> +
> info = kmalloc(sizeof(*info), GFP_KERNEL);
> if (!info)
> return -ENOMEM;
> --
> 2.41.0.162.gfafddb0af9-goog
>
Hi Jordy,
Thanks for the patch, much appreciated. Sadly, as Pawan has already
pointed out, array_index_mask_nospec actually changes the behaviour of
this function, such that 'arg' would no longer be an array index.
In addition, it seems to have triggered the kernel test robot with an
alpha build error.
Regards,
Phil
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] cdrom: Fix spectre-v1 gadget
2023-06-10 19:10 ` Phillip Potter
@ 2023-06-12 9:35 ` Jordy Zomer
0 siblings, 0 replies; 6+ messages in thread
From: Jordy Zomer @ 2023-06-12 9:35 UTC (permalink / raw)
To: Phillip Potter; +Cc: linux-kernel, pawan.kumar.gupta, linux-block
Thanks both! I assumed array_index_mask_nospec was the same as
array_index_nospec. I'll send a V2 your way soon :)
On Sat, Jun 10, 2023 at 9:10 PM Phillip Potter <phil@philpotter.co.uk> wrote:
>
> On Fri, Jun 09, 2023 at 01:13:55PM +0000, Jordy Zomer wrote:
> > This patch fixes a spectre-v1 gadget in cdrom.
> > The gadget could be triggered by,
> > speculatviely bypassing the cdi->capacity check.
> >
> > Signed-off-by: Jordy Zomer <jordyzomer@google.com>
> > ---
> > drivers/cdrom/cdrom.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> > index 416f723a2dbb..3c349bc0a269 100644
> > --- a/drivers/cdrom/cdrom.c
> > +++ b/drivers/cdrom/cdrom.c
> > @@ -233,6 +233,7 @@
> >
> > -------------------------------------------------------------------------*/
> >
> > +#include "asm/barrier.h"
> > #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> >
> > #define REVISION "Revision: 3.20"
> > @@ -2329,6 +2330,8 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
> > if (arg >= cdi->capacity)
> > return -EINVAL;
> >
> > + arg = array_index_mask_nospec(arg, cdi->capacity);
> > +
> > info = kmalloc(sizeof(*info), GFP_KERNEL);
> > if (!info)
> > return -ENOMEM;
> > --
> > 2.41.0.162.gfafddb0af9-goog
> >
>
> Hi Jordy,
>
> Thanks for the patch, much appreciated. Sadly, as Pawan has already
> pointed out, array_index_mask_nospec actually changes the behaviour of
> this function, such that 'arg' would no longer be an array index.
>
> In addition, it seems to have triggered the kernel test robot with an
> alpha build error.
>
> Regards,
> Phil
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-12 9:50 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-09 13:13 [PATCH 0/1] cdrom: Fix spectre-v1 gadget Jordy Zomer
2023-06-09 13:13 ` [PATCH 1/1] " Jordy Zomer
2023-06-09 17:19 ` kernel test robot
2023-06-09 23:46 ` Pawan Gupta
2023-06-10 19:10 ` Phillip Potter
2023-06-12 9:35 ` Jordy Zomer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox