From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 24/31] net: cxgb3_main: fix potential Spectre v1
Date: Fri, 20 Jul 2018 14:13:54 +0200 [thread overview]
Message-ID: <20180720121341.027300543@linuxfoundation.org> (raw)
In-Reply-To: <20180720121340.158484922@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavo@embeddedor.com>
commit 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 upstream.
t.qset_idx can be indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
warn: potential spectre issue 'adapter->msix_info'
Fix this by sanitizing t.qset_idx before using it to index
adapter->msix_info
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
@@ -50,6 +50,7 @@
#include <linux/stringify.h>
#include <linux/sched.h>
#include <linux/slab.h>
+#include <linux/nospec.h>
#include <asm/uaccess.h>
#include "common.h"
@@ -2256,6 +2257,7 @@ static int cxgb_extension_ioctl(struct n
if (t.qset_idx >= nqsets)
return -EINVAL;
+ t.qset_idx = array_index_nospec(t.qset_idx, nqsets);
q = &adapter->params.sge.qset[q1 + t.qset_idx];
t.rspq_size = q->rspq_size;
next prev parent reply other threads:[~2018-07-20 13:15 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-20 12:13 [PATCH 4.4 00/31] 4.4.143-stable review Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 01/31] compiler, clang: suppress warning for unused static inline functions Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 02/31] compiler, clang: properly override inline for clang Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 03/31] compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 04/31] compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 05/31] x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h> Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 06/31] Revert "sit: reload iphdr in ipip6_rcv" Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 07/31] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 08/31] bcm63xx_enet: correct clock usage Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 09/31] bcm63xx_enet: do not write to random DMA channel on BCM6345 Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 10/31] crypto: crypto4xx - remove bad list_del Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 11/31] crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 12/31] atm: zatm: Fix potential Spectre v1 Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 13/31] net: dccp: avoid crash in ccid3_hc_rx_send_feedback() Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 14/31] net: dccp: switch rx_tstamp_last_feedback to monotonic clock Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 15/31] net/mlx5: Fix incorrect raw command length parsing Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 16/31] net: sungem: fix rx checksum support Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 17/31] qed: Limit msix vectors in kdump kernel to the minimum required count Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 18/31] r8152: napi hangup fix after disconnect Greg Kroah-Hartman
2018-08-24 16:38 ` Ben Hutchings
2018-08-25 7:43 ` Jiri Slaby
2018-09-12 18:54 ` Ben Hutchings
2018-07-20 12:13 ` [PATCH 4.4 19/31] tcp: fix Fast Open key endianness Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 21/31] vhost_net: validate sock before trying to put its fd Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 22/31] net_sched: blackhole: tell upper qdisc about dropped packets Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 23/31] net/mlx5: Fix command interface race in polling mode Greg Kroah-Hartman
2018-07-20 12:13 ` Greg Kroah-Hartman [this message]
2018-07-20 12:13 ` [PATCH 4.4 25/31] rtlwifi: rtl8821ae: fix firmware is not ready to run Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 26/31] MIPS: Call dump_stack() from show_regs() Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 27/31] MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 28/31] netfilter: ebtables: reject non-bridge targets Greg Kroah-Hartman
2018-07-20 12:13 ` [PATCH 4.4 29/31] KEYS: DNS: fix parsing multiple options Greg Kroah-Hartman
2018-07-20 12:14 ` [PATCH 4.4 30/31] rds: avoid unenecessary cong_update in loop transport Greg Kroah-Hartman
2018-07-20 12:14 ` [PATCH 4.4 31/31] net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL Greg Kroah-Hartman
2018-07-20 13:34 ` [PATCH 4.4 00/31] 4.4.143-stable review Nathan Chancellor
2018-07-21 7:38 ` Naresh Kamboju
2018-07-21 13:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180720121341.027300543@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=gustavo@embeddedor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).