From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To: Kentaro Takeda <takedakn@nttdata.co.jp>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>
Subject: [PATCH] tomoyo: common: Fix potential Spectre v1 vulnerability
Date: Wed, 31 Jul 2019 13:54:57 -0500 [thread overview]
Message-ID: <20190731185457.GA21407@embeddedor> (raw)
profile is controlled by user-space via /sys/kernel/security/tomoyo/profile,
hence leading to a potential exploitation of the Spectre variant 1
vulnerability.
This issue was detected with the help of Smatch:
security/tomoyo/common.c:498 tomoyo_assign_profile() warn: potential spectre issue 'ns->profile_ptr' [r] (local cap)
security/tomoyo/common.c:499 tomoyo_assign_profile() warn: possible spectre second half. 'ptr'
security/tomoyo/common.c:505 tomoyo_assign_profile() warn: possible spectre second half. 'ptr'
security/tomoyo/common.c:523 tomoyo_assign_profile() warn: possible spectre second half. 'ptr'
Fix this by sanitizing profile before using it to index ns->profile_ptr
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
security/tomoyo/common.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index dd3d5942e669..45858dbcfdb9 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -8,6 +8,7 @@
#include <linux/uaccess.h>
#include <linux/slab.h>
#include <linux/security.h>
+#include <linux/nospec.h>
#include "common.h"
/* String table for operation mode. */
@@ -488,13 +489,15 @@ static void tomoyo_print_number_union(struct tomoyo_io_buffer *head,
* Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
*/
static struct tomoyo_profile *tomoyo_assign_profile
-(struct tomoyo_policy_namespace *ns, const unsigned int profile)
+(struct tomoyo_policy_namespace *ns, unsigned int profile)
{
struct tomoyo_profile *ptr;
struct tomoyo_profile *entry;
if (profile >= TOMOYO_MAX_PROFILES)
return NULL;
+ profile = array_index_nospec(profile, TOMOYO_MAX_PROFILES);
+
ptr = ns->profile_ptr[profile];
if (ptr)
return ptr;
--
2.22.0
next reply other threads:[~2019-07-31 19:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-31 18:54 Gustavo A. R. Silva [this message]
2019-08-01 11:02 ` [PATCH] tomoyo: common: Fix potential Spectre v1 vulnerability Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190731185457.GA21407@embeddedor \
--to=gustavo@embeddedor.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=serge@hallyn.com \
--cc=takedakn@nttdata.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.