* [PATCH] ALSA: emux_hwdep: Fix potential Spectre v1 vulnerabilities
@ 2018-12-12 17:20 Gustavo A. R. Silva
2018-12-12 21:39 ` Sasha Levin
2018-12-13 8:13 ` Takashi Iwai
0 siblings, 2 replies; 4+ messages in thread
From: Gustavo A. R. Silva @ 2018-12-12 17:20 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai
Cc: alsa-devel, linux-kernel, Gustavo A. R. Silva
info.mode and info.port are indirectly controlled by user-space,
hence leading to a potential exploitation of the Spectre variant 1
vulnerability.
These issues were detected with the help of Smatch:
sound/synth/emux/emux_hwdep.c:72 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[i]->ctrls' [w] (local cap)
sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs' [w] (local cap)
sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[info.port]->ctrls' [w] (local cap)
Fix this by sanitizing both info.mode and info.port before using them
to index emu->portptrs[i]->ctrls, emu->portptrs[info.port]->ctrls and
emu->portptrs.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
sound/synth/emux/emux_hwdep.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/sound/synth/emux/emux_hwdep.c b/sound/synth/emux/emux_hwdep.c
index e557946718a9..a0d5cd99572f 100644
--- a/sound/synth/emux/emux_hwdep.c
+++ b/sound/synth/emux/emux_hwdep.c
@@ -24,6 +24,7 @@
#include <linux/uaccess.h>
#include "emux_voice.h"
+#include <linux/nospec.h>
#define TMP_CLIENT_ID 0x1001
@@ -66,13 +67,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux *emu, void __user *arg)
return -EFAULT;
if (info.mode < 0 || info.mode >= EMUX_MD_END)
return -EINVAL;
+ info.mode = array_index_nospec(info.mode, EMUX_MD_END);
if (info.port < 0) {
for (i = 0; i < emu->num_ports; i++)
emu->portptrs[i]->ctrls[info.mode] = info.value;
} else {
- if (info.port < emu->num_ports)
+ if (info.port < emu->num_ports) {
+ info.port = array_index_nospec(info.port, emu->num_ports);
emu->portptrs[info.port]->ctrls[info.mode] = info.value;
+ }
}
return 0;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ALSA: emux_hwdep: Fix potential Spectre v1 vulnerabilities
2018-12-12 17:20 [PATCH] ALSA: emux_hwdep: Fix potential Spectre v1 vulnerabilities Gustavo A. R. Silva
@ 2018-12-12 21:39 ` Sasha Levin
2018-12-13 8:13 ` Takashi Iwai
1 sibling, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2018-12-12 21:39 UTC (permalink / raw)
To: Sasha Levin, Gustavo A. R. Silva, Jaroslav Kysela, Takashi Iwai
Cc: alsa-devel, linux-kernel, stable
Hi,
[This is an automated email]
This commit has been processed because it contains a -stable tag.
The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v4.19.8, v4.14.87, v4.9.144, v4.4.166, v3.18.128,
v4.19.8: Build OK!
v4.14.87: Build OK!
v4.9.144: Build OK!
v4.4.166: Build OK!
v3.18.128: Build failed! Errors:
sound/synth/emux/emux_hwdep.c:27:10: fatal error: linux/nospec.h: No such file or directory
How should we proceed with this patch?
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ALSA: emux_hwdep: Fix potential Spectre v1 vulnerabilities
2018-12-12 17:20 [PATCH] ALSA: emux_hwdep: Fix potential Spectre v1 vulnerabilities Gustavo A. R. Silva
@ 2018-12-13 8:13 ` Takashi Iwai
2018-12-13 8:13 ` Takashi Iwai
1 sibling, 0 replies; 4+ messages in thread
From: Takashi Iwai @ 2018-12-13 8:13 UTC (permalink / raw)
To: Gustavo A. R. Silva ; +Cc: Jaroslav Kysela, alsa-devel, linux-kernel
On Wed, 12 Dec 2018 18:20:49 +0100,
Gustavo A. R. Silva wrote:
>
> info.mode and info.port are indirectly controlled by user-space,
> hence leading to a potential exploitation of the Spectre variant 1
> vulnerability.
>
> These issues were detected with the help of Smatch:
>
> sound/synth/emux/emux_hwdep.c:72 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[i]->ctrls' [w] (local cap)
> sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs' [w] (local cap)
> sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[info.port]->ctrls' [w] (local cap)
>
> Fix this by sanitizing both info.mode and info.port before using them
> to index emu->portptrs[i]->ctrls, emu->portptrs[info.port]->ctrls and
> emu->portptrs.
>
> Notice that given that speculation windows are large, the policy is
> to kill the speculation on the first load and not worry if it can be
> completed with a dependent load/store [1].
>
> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Applied now (with moving the linux/nospec.h in a more appropriate
line).
thanks,
Takashi
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ALSA: emux_hwdep: Fix potential Spectre v1 vulnerabilities
@ 2018-12-13 8:13 ` Takashi Iwai
0 siblings, 0 replies; 4+ messages in thread
From: Takashi Iwai @ 2018-12-13 8:13 UTC (permalink / raw)
To: Gustavo A. R. Silva ; +Cc: Jaroslav Kysela, alsa-devel, linux-kernel
On Wed, 12 Dec 2018 18:20:49 +0100,
Gustavo A. R. Silva wrote:
>
> info.mode and info.port are indirectly controlled by user-space,
> hence leading to a potential exploitation of the Spectre variant 1
> vulnerability.
>
> These issues were detected with the help of Smatch:
>
> sound/synth/emux/emux_hwdep.c:72 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[i]->ctrls' [w] (local cap)
> sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs' [w] (local cap)
> sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[info.port]->ctrls' [w] (local cap)
>
> Fix this by sanitizing both info.mode and info.port before using them
> to index emu->portptrs[i]->ctrls, emu->portptrs[info.port]->ctrls and
> emu->portptrs.
>
> Notice that given that speculation windows are large, the policy is
> to kill the speculation on the first load and not worry if it can be
> completed with a dependent load/store [1].
>
> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Applied now (with moving the linux/nospec.h in a more appropriate
line).
thanks,
Takashi
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-12-13 8:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-12 17:20 [PATCH] ALSA: emux_hwdep: Fix potential Spectre v1 vulnerabilities Gustavo A. R. Silva
2018-12-12 21:39 ` Sasha Levin
2018-12-13 8:13 ` Takashi Iwai
2018-12-13 8:13 ` Takashi Iwai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.