From patchwork Tue Jul 31 14:25:57 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jinbum Park <jinb.park7@gmail.com>
X-Patchwork-Id: 10550835
Return-Path: 
 <kernel-hardening-return-13862-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 27EBF1708
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Tue, 31 Jul 2018 14:26:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 12D6229601
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Tue, 31 Jul 2018 14:26:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 044CB2966D; Tue, 31 Jul 2018 14:26:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 3349129601
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
 Tue, 31 Jul 2018 14:26:17 +0000 (UTC)
Received: (qmail 5676 invoked by uid 550); 31 Jul 2018 14:26:16 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 5658 invoked from network); 31 Jul 2018 14:26:15 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=44oHVkGiFDpGlQCTw8wYQWe0+KH9sd6sUuKKJogMrPw=;
        b=kjU6CVsGMouh5GJvbKDsWUF4WyabwcVGNO7yyxmvP0L2eFByLN5N91wlt9TCg19eeO
         s5Zz6Xb69WwiSUnKYE45jCOpfRErEjYVN2HESeMSLbjoXmc6xqJEX0WTmk1IXYT59obe
         sHwgtwd5O5+cj4xIQwElxEXZbve2jpEFiJSZ60fkh2VNr2c4ERPjSWE5/xqn7HV3l/4k
         1TQEAMKE9RVVN8gUCz7r3/XF9XbHzZn4Au+lrc1NeIrYAsRBdBeVlH3enrsBexoNEWlI
         y4PJC8pzEdXdyXq8Q4iUKLlu5redoMnJRc0opBcoco2JxsNatgeULqFED/uKM32bPiDz
         p6mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=44oHVkGiFDpGlQCTw8wYQWe0+KH9sd6sUuKKJogMrPw=;
        b=hgA/0vcg+JUUb3W+t6KurQH6ndo5HVPFw1Obj3gAV5/AwuIAMshfxrzLmOeUQJllOQ
         OwXR6kvYZ1lULOjQoKyro0apOtYvwfvPUXvcNqnUr92cc7dHmc2JJsiLGo7Q0Gas5vIt
         vC+lerhEW+Y/rrglzOBSdZ3gql9xGu4l8RiV6OExhbqhVVTEPrbMBL1iOFa833p+5+Oy
         lngCdyHGAteGLybyitYosCnwj85+C8wJSubccedPWfkbAq3aKoRx48r88rQXWbvy1pWe
         KcTyQMuzjbxAVe/J5C8QMy1aE6S5LeO+YoZcQaLlHMOPbLAb9Snj8PwSG7egFHigaWuW
         Cl5A==
X-Gm-Message-State: AOUpUlGX2I/rt+MAc5Mmox5EEl67f0DatNrQwjfXLAFqWKppbYbEU+Av
	8TmMRAHmGn4Zq6GI7gWhAFk=
X-Google-Smtp-Source: 
 AAOMgpdAbPcmbE9IdRhPUXDUUijNBB5nmtgJw+RXMoJrgC7ozZspl2nnIOyoX/x/KYhWiA7WjZA9iQ==
X-Received: by 2002:a63:7454:: with SMTP id
 e20-v6mr21187819pgn.410.1533047163870;
        Tue, 31 Jul 2018 07:26:03 -0700 (PDT)
Date: Tue, 31 Jul 2018 23:25:57 +0900
From: Jinbum Park <jinb.park7@gmail.com>
To: peterz@infradead.org, mingo@redhat.com, acme@kernel.org,
	alexander.shishkin@linux.intel.com, jolsa@redhat.com,
	namhyung@kernel.org
Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com
Subject: [PATCH] perf/core: Fix possible Spectre-v1 for perf_swevent_enabled
Message-ID: <20180731142557.GA12460@pjb1027-Latitude-E5410>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Virus-Scanned: ClamAV using ClamSMTP

User controls @event_id which to be used as index of perf_swevent_enabled.
So, It can be exploited via Spectre-like attack. (speculative execution)

So sanitize @event_id before using it to prevent attack.

I leveraged strategy [1] to find this gadget.

[1] https://github.com/jinb-park/linux-exploit/
tree/master/exploit-remaining-spectre-gadget/

Signed-off-by: Jinbum Park <jinb.park7@gmail.com>
---
 kernel/events/core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index f6ea33a..3313552 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -50,6 +50,7 @@
 #include <linux/sched/mm.h>
 #include <linux/proc_ns.h>
 #include <linux/mount.h>
+#include <linux/nospec.h>
 
 #include "internal.h"
 
@@ -8200,6 +8201,7 @@ static int perf_swevent_init(struct perf_event *event)
 		if (err)
 			return err;
 
+		event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX);
 		static_key_slow_inc(&perf_swevent_enabled[event_id]);
 		event->destroy = sw_perf_event_destroy;
 	}