From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754884AbeDTNTD (ORCPT ); Fri, 20 Apr 2018 09:19:03 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:57178 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754741AbeDTNS7 (ORCPT ); Fri, 20 Apr 2018 09:18:59 -0400 Message-Id: <20180420131631.720909184@infradead.org> User-Agent: quilt/0.63-1 Date: Fri, 20 Apr 2018 15:14:08 +0200 From: Peter Zijlstra To: linux-kernel@vger.kernel.org, mingo@kernel.org Cc: tglx@linutronix.de, dan.j.williams@intel.com, torvalds@linux-foundation.org, Dan Carpenter , "Peter Zijlstra" Subject: [PATCH 1/7] perf: Fix possible Spectre-v1 for aux_pages References: <20180420131407.721875616@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline; filename=peterz-spectre1-1.patch Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > kernel/events/ring_buffer.c:871 perf_mmap_to_page() warn: potential spectre issue 'rb->aux_pages' Userspace controls @pgoff through the fault address. Sanitize the array index before doing the array dereference. Reported-by: Dan Carpenter Signed-off-by: Peter Zijlstra --- kernel/events/ring_buffer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/kernel/events/ring_buffer.c +++ b/kernel/events/ring_buffer.c @@ -867,8 +867,10 @@ perf_mmap_to_page(struct ring_buffer *rb return NULL; /* AUX space */ - if (pgoff >= rb->aux_pgoff) - return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]); + if (pgoff >= rb->aux_pgoff) { + int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages); + return virt_to_page(rb->aux_pages[aux_pgoff]); + } } return __perf_mmap_to_page(rb, pgoff);