From: Dan Williams <dan.j.williams@intel.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-arch@vger.kernel.org, Alan Cox <alan@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Netdev <netdev@vger.kernel.org>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Thomas Gleixner <tglx@linutronix.de>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Elena Reshetova <elena.reshetova@intel.com>,
"Linux-media@vger.kernel.org" <linux-media@vger.kernel.org>,
dsj@fb.com
Subject: Re: [PATCH 07/18] [media] uvcvideo: prevent bounds-check bypass via speculative execution
Date: Sat, 6 Jan 2018 09:41:17 -0800 [thread overview]
Message-ID: <CAPcyv4je-agqvmNSJf7v-1VBOrfhOvcs_qASNPJiBzgTt70dPA@mail.gmail.com> (raw)
In-Reply-To: <20180106094026.GA11525@kroah.com>
On Sat, Jan 6, 2018 at 1:40 AM, Greg KH <gregkh@linuxfoundation.org> wrote:
> On Sat, Jan 06, 2018 at 10:09:07AM +0100, Greg KH wrote:
>> On Fri, Jan 05, 2018 at 05:10:32PM -0800, Dan Williams wrote:
>> > Static analysis reports that 'index' may be a user controlled value that
>> > is used as a data dependency to read 'pin' from the
>> > 'selector->baSourceID' array. In order to avoid potential leaks of
>> > kernel memory values, block speculative execution of the instruction
>> > stream that could issue reads based on an invalid value of 'pin'.
>> >
>> > Based on an original patch by Elena Reshetova.
>> >
>> > Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
>> > Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
>> > Cc: linux-media@vger.kernel.org
>> > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
>> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> > ---
>> > drivers/media/usb/uvc/uvc_v4l2.c | 7 +++++--
>> > 1 file changed, 5 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
>> > index 3e7e283a44a8..7442626dc20e 100644
>> > --- a/drivers/media/usb/uvc/uvc_v4l2.c
>> > +++ b/drivers/media/usb/uvc/uvc_v4l2.c
>> > @@ -22,6 +22,7 @@
>> > #include <linux/mm.h>
>> > #include <linux/wait.h>
>> > #include <linux/atomic.h>
>> > +#include <linux/compiler.h>
>> >
>> > #include <media/v4l2-common.h>
>> > #include <media/v4l2-ctrls.h>
>> > @@ -810,6 +811,7 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh,
>> > struct uvc_entity *iterm = NULL;
>> > u32 index = input->index;
>> > int pin = 0;
>> > + __u8 *elem;
>> >
>> > if (selector == NULL ||
>> > (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) {
>> > @@ -820,8 +822,9 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh,
>> > break;
>> > }
>> > pin = iterm->id;
>> > - } else if (index < selector->bNrInPins) {
>> > - pin = selector->baSourceID[index];
>> > + } else if ((elem = nospec_array_ptr(selector->baSourceID, index,
>> > + selector->bNrInPins))) {
>> > + pin = *elem;
>>
>> I dug through this before, and I couldn't find where index came from
>> userspace, I think seeing the coverity rule would be nice.
>
> Ok, I take it back, this looks correct. Ugh, the v4l ioctl api is
> crazy complex (rightfully so), it's amazing that coverity could navigate
> that whole thing :)
>
> While I'm all for fixing this type of thing, I feel like we need to do
> something "else" for this as playing whack-a-mole for this pattern is
> going to be a never-ending battle for all drivers for forever. Either
> we need some way to mark this data path to make it easy for tools like
> sparse to flag easily, or we need to catch the issue in the driver
> subsystems, which unfortunatly, would harm the drivers that don't have
> this type of issue (like here.)
>
> I'm guessing that other operating systems, which don't have the luxury
> of auditing all of their drivers are going for the "big hammer in the
> subsystem" type of fix, right?
>
> I don't have a good answer for this, but if there was some better way to
> rewrite these types of patterns to just prevent the need for the
> nospec_array_ptr() type thing, that might be the best overall for
> everyone. Much like ebpf did with their changes. That way a simple
> coccinelle rule would be able to catch the pattern and rewrite it.
>
> Or am I just dreaming?
At least on the coccinelle front you're dreaming. Julia already took a
look and said:
"I don't think Coccinelle would be good for doing this (ie
implementing taint analysis) because the dataflow is too complicated."
Perhaps the Coverity instance Dave mentioned at Ksummit 2012 has a
role to play here?
next prev parent reply other threads:[~2018-01-06 17:41 UTC|newest]
Thread overview: 161+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-06 1:09 [PATCH 00/18] prevent bounds-check bypass via speculative execution Dan Williams
2018-01-06 1:09 ` [PATCH 01/18] asm-generic/barrier: add generic nospec helpers Dan Williams
2018-01-06 2:55 ` Linus Torvalds
2018-01-06 5:23 ` Dan Williams
2018-01-06 17:08 ` Mark Rutland
2018-01-06 1:10 ` [PATCH 02/18] Documentation: document " Dan Williams
2018-01-08 16:29 ` Jonathan Corbet
2018-01-08 17:09 ` Mark Rutland
2018-01-08 21:19 ` Jonathan Corbet
2018-01-06 1:10 ` [PATCH 03/18] arm64: implement nospec_ptr() Dan Williams
2018-01-06 1:10 ` [PATCH 04/18] arm: " Dan Williams
2018-01-10 2:04 ` Laura Abbott
2018-01-10 7:40 ` Hanjun Guo
2018-01-10 17:24 ` Laura Abbott
2018-01-06 1:10 ` [PATCH 05/18] x86: implement nospec_barrier() Dan Williams
2018-01-06 1:10 ` [PATCH 06/18] x86, barrier: stop speculation for failed access_ok Dan Williams
2018-01-06 2:52 ` Linus Torvalds
2018-01-06 3:09 ` Linus Torvalds
2018-01-06 23:31 ` Dan Williams
2018-01-07 1:20 ` Linus Torvalds
2018-01-08 21:09 ` Dan Williams
2018-01-08 23:44 ` Linus Torvalds
2018-01-08 23:53 ` Dan Williams
2018-01-06 5:47 ` Dan Williams
2018-01-06 12:32 ` Alan Cox
2018-01-06 17:56 ` Linus Torvalds
2018-01-06 18:13 ` Alexei Starovoitov
2018-01-06 18:29 ` Dan Williams
2018-01-06 18:39 ` Alexei Starovoitov
2018-01-06 18:54 ` Dan Williams
2018-01-06 19:25 ` Alexei Starovoitov
2018-01-06 19:36 ` Dan Williams
2018-01-06 19:41 ` Thomas Gleixner
2018-01-08 10:02 ` Andrea Arcangeli
2018-01-06 18:38 ` Alan Cox
2018-01-06 18:51 ` Alexei Starovoitov
2018-01-06 19:55 ` Alan Cox
2018-01-06 20:09 ` Alexei Starovoitov
2018-01-06 20:22 ` Alan Cox
2018-01-06 21:17 ` Alexei Starovoitov
2018-01-06 21:21 ` Thomas Gleixner
2018-01-06 23:05 ` Alan Cox
2018-01-07 3:38 ` Alexei Starovoitov
2018-01-07 6:33 ` Willy Tarreau
2018-01-07 19:47 ` Linus Torvalds
2018-01-07 20:12 ` Willy Tarreau
2018-01-07 20:17 ` Linus Torvalds
2018-01-07 20:56 ` Thomas Gleixner
2018-01-08 2:23 ` David Miller
2018-01-08 7:38 ` Greg KH
2018-01-07 22:15 ` Willy Tarreau
2018-01-07 20:15 ` Dan Williams
2018-01-08 2:24 ` Alexei Starovoitov
2018-01-08 9:51 ` Peter Zijlstra
2018-01-08 18:21 ` Ingo Molnar
2018-01-08 12:00 ` David Laight
2018-01-08 12:12 ` Alan Cox
2018-01-08 12:33 ` David Laight
2018-01-07 10:08 ` Thomas Gleixner
2018-01-08 2:09 ` Alexei Starovoitov
2018-01-07 13:59 ` Alan Cox
2018-01-08 2:57 ` Alexei Starovoitov
2018-01-08 9:57 ` Peter Zijlstra
2018-01-06 20:42 ` Willy Tarreau
2018-01-07 1:36 ` David Miller
2018-01-07 17:19 ` James Bottomley
2018-01-07 18:31 ` Thomas Gleixner
2018-01-08 2:04 ` David Miller
2018-01-07 19:24 ` Alan Cox
2018-01-09 21:41 ` Josh Poimboeuf
2018-01-09 21:47 ` Dan Williams
2018-01-09 21:49 ` Josh Poimboeuf
2018-01-09 21:59 ` Dan Williams
2018-01-09 22:23 ` Josh Poimboeuf
2018-01-09 22:35 ` Dan Williams
2018-01-06 1:10 ` [PATCH 07/18] [media] uvcvideo: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-06 9:09 ` Greg KH
2018-01-06 9:40 ` Greg KH
2018-01-06 17:41 ` Dan Williams [this message]
2018-01-07 9:09 ` Greg KH
2018-01-07 19:37 ` Dan Williams
2018-01-09 8:40 ` Laurent Pinchart
2018-01-09 10:04 ` Greg KH
2018-01-09 14:26 ` Laurent Pinchart
2018-01-09 14:47 ` Greg KH
2018-01-08 11:23 ` Laurent Pinchart
2018-01-09 2:11 ` Dan Williams
2018-01-06 1:10 ` [PATCH 08/18] carl9170: " Dan Williams
2018-01-06 10:01 ` Sergei Shtylyov
2018-01-06 14:23 ` Christian Lamparter
2018-01-06 15:06 ` Alan Cox
2018-01-06 16:38 ` Christian Lamparter
2018-01-06 16:34 ` Dan Williams
2018-01-06 1:10 ` [PATCH 09/18] p54: " Dan Williams
2018-01-06 10:01 ` Sergei Shtylyov
2018-01-06 1:10 ` [PATCH 10/18] qla2xxx: " Dan Williams
2018-01-06 9:03 ` Greg KH
2018-01-06 9:42 ` Greg KH
2018-01-11 22:15 ` Dan Williams
2018-01-12 7:27 ` Greg KH
2018-01-12 15:25 ` James Bottomley
2018-01-06 1:10 ` [PATCH 11/18] cw1200: " Dan Williams
2018-01-06 1:10 ` [PATCH 12/18] Thermal/int340x: " Dan Williams
2018-01-06 1:53 ` Srinivas Pandruvada
2018-01-06 1:57 ` Dan Williams
2018-01-06 17:24 ` Srinivas Pandruvada
2018-01-06 10:03 ` Sergei Shtylyov
2018-01-06 1:11 ` [PATCH 13/18] ipv6: " Dan Williams
2018-01-06 10:04 ` Sergei Shtylyov
2018-01-06 14:48 ` Stephen Hemminger
2018-01-06 18:05 ` Dan Williams
2018-01-06 1:11 ` [PATCH 14/18] ipv4: " Dan Williams
2018-01-06 9:00 ` Greg KH
2018-01-06 9:01 ` Greg KH
2018-01-06 12:23 ` Alan Cox
2018-01-06 15:14 ` Greg KH
2018-01-06 16:29 ` Dan Williams
2018-01-06 18:10 ` Dan Williams
2018-01-06 10:04 ` Sergei Shtylyov
2018-01-06 1:11 ` [PATCH 15/18] vfs, fdtable: " Dan Williams
2018-01-06 10:05 ` Sergei Shtylyov
2018-01-06 1:11 ` [PATCH 16/18] net: mpls: " Dan Williams
2018-01-06 10:06 ` Sergei Shtylyov
2018-01-09 3:11 ` Eric W. Biederman
2018-01-09 3:42 ` Dan Williams
2018-01-09 4:13 ` Linus Torvalds
2018-01-09 4:21 ` Linus Torvalds
2018-01-10 0:48 ` Dan Williams
2018-01-10 1:33 ` Dan Williams
2018-01-10 1:57 ` Alexei Starovoitov
2018-01-10 2:22 ` Dan Williams
2018-01-10 3:07 ` Alexei Starovoitov
2018-01-10 3:27 ` Linus Torvalds
2018-01-09 16:17 ` Eric W. Biederman
2018-01-09 18:01 ` Dan Williams
2018-01-10 0:54 ` Eric W. Biederman
2018-01-10 1:31 ` Dan Williams
2018-01-06 1:11 ` [PATCH 17/18] udf: " Dan Williams
2018-01-08 10:20 ` Jan Kara
2018-01-06 1:11 ` [PATCH 18/18] userns: " Dan Williams
2018-01-06 2:22 ` [PATCH 00/18] " Eric W. Biederman
2018-01-06 6:30 ` Dan Williams
2018-01-08 10:08 ` Peter Zijlstra
2018-01-08 11:14 ` Laurent Pinchart
2018-01-08 11:43 ` Alan Cox
2018-01-08 11:55 ` Peter Zijlstra
2018-01-08 18:33 ` Ingo Molnar
2018-01-08 16:20 ` Bart Van Assche
2018-01-06 18:56 ` Florian Fainelli
2018-01-06 18:59 ` Arjan van de Ven
2018-01-06 19:37 ` Dan Williams
2018-01-06 20:07 ` Dan Williams
2018-01-08 4:49 ` Bart Van Assche
2018-01-08 13:33 ` Arjan van de Ven
2018-01-09 19:34 ` Jiri Kosina
2018-01-09 19:44 ` Dan Williams
2018-01-09 20:55 ` Josh Poimboeuf
2018-01-11 9:54 ` Jiri Kosina
2018-01-11 15:58 ` Dan Williams
2018-01-11 16:34 ` Daniel Borkmann
2018-01-13 11:33 ` QingFeng Hao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPcyv4je-agqvmNSJf7v-1VBOrfhOvcs_qASNPJiBzgTt70dPA@mail.gmail.com \
--to=dan.j.williams@intel.com \
--cc=alan@linux.intel.com \
--cc=dsj@fb.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).