From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Jason Wang <jasowang@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 09/24] vhost: Fix Spectre V1 vulnerability
Date: Fri, 2 Nov 2018 19:34:42 +0100 [thread overview]
Message-ID: <20181102182841.150614489@linuxfoundation.org> (raw)
In-Reply-To: <20181102182839.725385066@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
[ Upstream commit ff002269a4ee9c769dbf9365acef633ebcbd6cbe ]
The idx in vhost_vring_ioctl() was controlled by userspace, hence a
potential exploitation of the Spectre variant 1 vulnerability.
Fixing this by sanitizing idx before using it to index d->vqs.
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/vhost.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -30,6 +30,7 @@
#include <linux/sched/mm.h>
#include <linux/sched/signal.h>
#include <linux/interval_tree_generic.h>
+#include <linux/nospec.h>
#include "vhost.h"
@@ -1397,6 +1398,7 @@ long vhost_vring_ioctl(struct vhost_dev
if (idx >= d->nvqs)
return -ENOBUFS;
+ idx = array_index_nospec(idx, d->nvqs);
vq = d->vqs[idx];
mutex_lock(&vq->mutex);
next prev parent reply other threads:[~2018-11-02 18:37 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-02 18:34 [PATCH 4.19 00/24] 4.19.1-stable review Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 01/24] bridge: do not add port to router list when receives query with source 0.0.0.0 Greg Kroah-Hartman
2019-02-17 14:29 ` Sebastian Gottschall
2019-02-17 16:48 ` Greg Kroah-Hartman
2019-02-18 10:18 ` Sebastian Gottschall
2019-02-20 12:48 ` Sebastian Gottschall
2019-02-20 13:09 ` Nikolay Aleksandrov
2019-02-20 13:11 ` Nikolay Aleksandrov
2019-02-20 14:46 ` Hangbin Liu
2019-02-21 12:50 ` Sebastian Gottschall
2019-02-21 11:41 ` Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 02/24] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 03/24] net/mlx5e: fix csum adjustments caused by RXFCS Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 04/24] net: sched: gred: pass the right attribute to gred_change_table_def() Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 05/24] net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 06/24] net: udp: fix handling of CHECKSUM_COMPLETE packets Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 07/24] Revert "net: simplify sock_poll_wait" Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 08/24] rtnetlink: Disallow FDB configuration for non-Ethernet device Greg Kroah-Hartman
2018-11-02 18:34 ` Greg Kroah-Hartman [this message]
2018-11-02 18:34 ` [PATCH 4.19 10/24] bonding: fix length of actor system Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 11/24] openvswitch: Fix push/pop ethernet validation Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 12/24] net/ipv6: Allow onlink routes to have a device mismatch if it is the default route Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 13/24] net/smc: fix smc_buf_unuse to use the lgr pointer Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 14/24] mlxsw: spectrum_switchdev: Dont ignore deletions of learned MACs Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 15/24] mlxsw: core: Fix devlink unregister flow Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 16/24] net: drop skb on failure in ip_check_defrag() Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 17/24] net: Properly unlink GRO packets on overflow Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 18/24] r8169: fix broken Wake-on-LAN from S5 (poweroff) Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 19/24] Revert "be2net: remove desc field from be_eq_obj" Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 20/24] sctp: check policy more carefully when getting pr status Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 21/24] sparc64: Export __node_distance Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 22/24] sparc64: Make corrupted user stacks more debuggable Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 23/24] sparc64: Wire up compat getpeername and getsockname Greg Kroah-Hartman
2018-11-02 18:34 ` [PATCH 4.19 24/24] net: bridge: remove ipv6 zero address check in mcast queries Greg Kroah-Hartman
2018-11-03 14:33 ` [PATCH 4.19 00/24] 4.19.1-stable review Guenter Roeck
2018-11-04 4:24 ` Naresh Kamboju
2018-11-04 7:10 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181102182841.150614489@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aarcange@redhat.com \
--cc=davem@davemloft.net \
--cc=jasowang@redhat.com \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).