linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will.deacon@arm.com>,
	Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.14 50/67] arm64: fix possible spectre-v1 write in ptrace_hbp_set_event()
Date: Fri, 7 Sep 2018 00:37:58 +0000	[thread overview]
Message-ID: <20180907003716.57737-50-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180907003716.57737-1-alexander.levin@microsoft.com>

From: Mark Rutland <mark.rutland@arm.com>

[ Upstream commit 14d6e289a89780377f8bb09de8926d3c62d763cd ]

It's possible for userspace to control idx. Sanitize idx when using it
as an array index, to inhibit the potential spectre-v1 write gadget.

Found by smatch.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 arch/arm64/kernel/ptrace.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index edaf346d13d5..34d915b6974b 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -274,19 +274,22 @@ static int ptrace_hbp_set_event(unsigned int note_type,
 
 	switch (note_type) {
 	case NT_ARM_HW_BREAK:
-		if (idx < ARM_MAX_BRP) {
-			tsk->thread.debug.hbp_break[idx] = bp;
-			err = 0;
-		}
+		if (idx >= ARM_MAX_BRP)
+			goto out;
+		idx = array_index_nospec(idx, ARM_MAX_BRP);
+		tsk->thread.debug.hbp_break[idx] = bp;
+		err = 0;
 		break;
 	case NT_ARM_HW_WATCH:
-		if (idx < ARM_MAX_WRP) {
-			tsk->thread.debug.hbp_watch[idx] = bp;
-			err = 0;
-		}
+		if (idx >= ARM_MAX_WRP)
+			goto out;
+		idx = array_index_nospec(idx, ARM_MAX_WRP);
+		tsk->thread.debug.hbp_watch[idx] = bp;
+		err = 0;
 		break;
 	}
 
+out:
 	return err;
 }
 
-- 
2.17.1

  parent reply	other threads:[~2018-09-07  0:50 UTC|newest]

Thread overview: 70+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-07  0:37 [PATCH AUTOSEL 4.14 01/67] usb: dwc3: change stream event enable bit back to 13 Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 03/67] iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 02/67] usb: usbtest: use irqsave() in USB's complete callback Sasha Levin
2018-09-07  5:43   ` Greg Kroah-Hartman
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 04/67] iommu/arm-smmu: Error out only if not enough context interrupts Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 05/67] iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the PTE Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 06/67] ALSA: pcm: Add __force to cast in snd_pcm_lib_read/write() Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 07/67] ALSA: msnd: Fix the default sample sizes Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 08/67] ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 09/67] xfrm: fix 'passing zero to ERR_PTR()' warning Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 11/67] gfs2: Special-case rindex for gfs2_grow Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 10/67] amd-xgbe: use dma_mapping_error to check map errors Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 12/67] clk: imx6ul: fix missing of_node_put() Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 13/67] clk: core: Potentially free connection id Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 14/67] clk: clk-fixed-factor: Clear OF_POPULATED flag in case of failure Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 15/67] kbuild: add .DELETE_ON_ERROR special target Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 16/67] media: tw686x: Fix oops on buffer alloc failure Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 17/67] dmaengine: pl330: fix irq race with terminate_all Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 18/67] MIPS: ath79: fix system restart Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 19/67] media: videobuf2-core: check for q->error in vb2_core_qbuf() Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 21/67] block: allow max_discard_segments to be stacked Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 20/67] IB/rxe: Drop QP0 silently Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 22/67] IB/ipoib: Fix error return code in ipoib_dev_init() Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 24/67] media: ov5645: Supported external clock is 24MHz Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 23/67] mtd/maps: fix solutionengine.c printk format warnings Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 25/67] perf test: Fix subtest number when showing results Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 27/67] ARM: exynos: Define EINT_WAKEUP_MASK registers for S5Pv210 and Exynos5433 Sasha Levin
2018-09-07  6:33   ` Krzysztof Kozlowski
2018-09-12 17:44     ` Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 26/67] gfs2: Don't reject a supposedly full bitmap if we have blocks reserved Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 28/67] perf tools: Synthesize GROUP_DESC feature in pipe mode Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 29/67] iio: ad9523: Fix displayed phase Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 31/67] fbdev: omapfb: off by one in omapfb_register_client() Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 30/67] iio: sca3000: Fix missing return in switch Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 32/67] perf tools: Fix struct comm_str removal crash Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 33/67] video: goldfishfb: fix memory leak on driver remove Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 34/67] fbdev/via: fix defined but not used warning Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 35/67] perf powerpc: Fix callchain ip filtering when return address is in a register Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 36/67] video: fbdev: pxafb: clear allocated memory for video modes Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 37/67] fbdev: Distinguish between interlaced and progressive modes Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 38/67] ARM: exynos: Clear global variable on init error path Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 39/67] perf powerpc: Fix callchain ip filtering Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 40/67] nvme-rdma: unquiesce queues when deleting the controller Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 42/67] powerpc/powernv: opal_put_chars partial write fix Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 41/67] KVM: arm/arm64: vgic: Fix possible spectre-v1 write in vgic_mmio_write_apr() Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 43/67] staging: bcm2835-camera: fix timeout handling in wait_for_completion_timeout Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 44/67] staging: bcm2835-camera: handle wait_for_completion_timeout return properly Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 45/67] ASoC: rt5514: Fix the issue of the delay volume applied Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 46/67] MIPS: jz4740: Bump zload address Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 47/67] mac80211: restrict delayed tailroom needed decrement Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 48/67] Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 49/67] wan/fsl_ucc_hdlc: use IS_ERR_VALUE() to check return value of qe_muram_alloc Sasha Levin
2018-09-07  0:37 ` Sasha Levin [this message]
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 51/67] reset: imx7: Fix always writing bits as 0 Sasha Levin
2018-09-07  0:37 ` [PATCH AUTOSEL 4.14 52/67] efi/arm: preserve early mapping of UEFI memory map longer for BGRT Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 54/67] xen-netfront: fix queue name setting Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 53/67] nfp: avoid buffer leak when FW communication fails Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 55/67] arm64: dts: qcom: db410c: Fix Bluetooth LED trigger Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 56/67] ARM: dts: qcom: msm8974-hammerhead: increase load on l20 for sdhci Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 57/67] s390/qeth: fix race in used-buffer accounting Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 59/67] platform/x86: toshiba_acpi: Fix defined but not used build warnings Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 58/67] s390/qeth: reset layer2 attribute on layer switch Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 60/67] KVM: arm/arm64: Fix vgic init race Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 62/67] i2c: aspeed: Fix initial values of master and slave state Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 61/67] drivers/base: stop new probing during shutdown Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 63/67] dmaengine: mv_xor_v2: kill the tasklets upon exit Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 64/67] crypto: sharah - Unregister correct algorithms for SAHARA 3 Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 65/67] x86/pti: Check the return value of pti_user_pagetable_walk_p4d() Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 66/67] x86/pti: Check the return value of pti_user_pagetable_walk_pmd() Sasha Levin
2018-09-07  0:38 ` [PATCH AUTOSEL 4.14 67/67] x86/mm/pti: Add an overflow check to pti_clone_pmds() Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180907003716.57737-50-alexander.levin@microsoft.com \
    --to=alexander.levin@microsoft.com \
    --cc=catalin.marinas@arm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=stable@vger.kernel.org \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).