| Message ID | 20180519011342.GA13962@embeddedgus (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 05/18/2018 07:13 PM, Gustavo A. R. Silva wrote: > pdev_nr and rhport can be controlled by user-space, hence leading to > a potential exploitation of the Spectre variant 1 vulnerability. > > This issue was detected with the help of Smatch: > drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis' > drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis' > drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev' > drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev' > > Fix this by sanitizing pdev_nr and rhport before using them to index > vhcis and vhci->vhci_hcd_ss->vdev respectively. > > Notice that given that speculation windows are large, the policy is > to kill the speculation on the first load and not worry if it can be > completed with a dependent load/store [1]. > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > Cc: stable@vger.kernel.org > Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> > --- > Changes in v3: > - Pass the addresses of pdev_nr and rhport into valid_port and > valid_args. > > Changes in v2: > - Place the barriers into valid_port. > > drivers/usb/usbip/vhci_sysfs.c | 24 ++++++++++++++++-------- > 1 file changed, 16 insertions(+), 8 deletions(-) > > diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c > index 4880838..be37aec 100644 > --- a/drivers/usb/usbip/vhci_sysfs.c > +++ b/drivers/usb/usbip/vhci_sysfs.c > @@ -10,6 +10,9 @@ > #include <linux/platform_device.h> > #include <linux/slab.h> > > +/* Hardening for Spectre-v1 */ > +#include <linux/nospec.h> > + > #include "usbip_common.h" > #include "vhci.h" > > @@ -205,16 +208,20 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) > return 0; > } > > -static int valid_port(__u32 pdev_nr, __u32 rhport) > +static int valid_port(__u32 *pdev_nr, __u32 *rhport) > { > - if (pdev_nr >= vhci_num_controllers) { > - pr_err("pdev %u\n", pdev_nr); > + if (*pdev_nr >= vhci_num_controllers) { > + pr_err("pdev %u\n", *pdev_nr); > return 0; > } > - if (rhport >= VHCI_HC_PORTS) { > - pr_err("rhport %u\n", rhport); > + *pdev_nr = array_index_nospec(*pdev_nr, vhci_num_controllers); > + > + if (*rhport >= VHCI_HC_PORTS) { > + pr_err("rhport %u\n", *rhport); > return 0; > } > + *rhport = array_index_nospec(*rhport, VHCI_HC_PORTS); > + > return 1; > } > > @@ -232,7 +239,7 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr, > pdev_nr = port_to_pdev_nr(port); > rhport = port_to_rhport(port); > > - if (!valid_port(pdev_nr, rhport)) > + if (!valid_port(&pdev_nr, &rhport)) > return -EINVAL; > > hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); > @@ -258,7 +265,8 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr, > } > static DEVICE_ATTR_WO(detach); > > -static int valid_args(__u32 pdev_nr, __u32 rhport, enum usb_device_speed speed) > +static int valid_args(__u32 *pdev_nr, __u32 *rhport, > + enum usb_device_speed speed) > { > if (!valid_port(pdev_nr, rhport)) { > return 0; > @@ -322,7 +330,7 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, > sockfd, devid, speed); > > /* check received parameters */ > - if (!valid_args(pdev_nr, rhport, speed)) > + if (!valid_args(&pdev_nr, &rhport, speed)) > return -EINVAL; > > hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); > Looks good to me. Thanks for taking care of this. Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org> -- Shuah -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 05/22/2018 10:56 AM, Shuah Khan wrote: > On 05/18/2018 07:13 PM, Gustavo A. R. Silva wrote: >> pdev_nr and rhport can be controlled by user-space, hence leading to >> a potential exploitation of the Spectre variant 1 vulnerability. >> >> This issue was detected with the help of Smatch: >> drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis' >> drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis' >> drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev' >> drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev' >> >> Fix this by sanitizing pdev_nr and rhport before using them to index >> vhcis and vhci->vhci_hcd_ss->vdev respectively. >> >> Notice that given that speculation windows are large, the policy is >> to kill the speculation on the first load and not worry if it can be >> completed with a dependent load/store [1]. >> >> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 >> >> Cc: stable@vger.kernel.org >> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> >> --- >> Changes in v3: >> - Pass the addresses of pdev_nr and rhport into valid_port and >> valid_args. >> >> Changes in v2: >> - Place the barriers into valid_port. >> >> drivers/usb/usbip/vhci_sysfs.c | 24 ++++++++++++++++-------- >> 1 file changed, 16 insertions(+), 8 deletions(-) >> >> diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c >> index 4880838..be37aec 100644 >> --- a/drivers/usb/usbip/vhci_sysfs.c >> +++ b/drivers/usb/usbip/vhci_sysfs.c >> @@ -10,6 +10,9 @@ >> #include <linux/platform_device.h> >> #include <linux/slab.h> >> >> +/* Hardening for Spectre-v1 */ >> +#include <linux/nospec.h> >> + >> #include "usbip_common.h" >> #include "vhci.h" >> >> @@ -205,16 +208,20 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) >> return 0; >> } >> >> -static int valid_port(__u32 pdev_nr, __u32 rhport) >> +static int valid_port(__u32 *pdev_nr, __u32 *rhport) >> { >> - if (pdev_nr >= vhci_num_controllers) { >> - pr_err("pdev %u\n", pdev_nr); >> + if (*pdev_nr >= vhci_num_controllers) { >> + pr_err("pdev %u\n", *pdev_nr); >> return 0; >> } >> - if (rhport >= VHCI_HC_PORTS) { >> - pr_err("rhport %u\n", rhport); >> + *pdev_nr = array_index_nospec(*pdev_nr, vhci_num_controllers); >> + >> + if (*rhport >= VHCI_HC_PORTS) { >> + pr_err("rhport %u\n", *rhport); >> return 0; >> } >> + *rhport = array_index_nospec(*rhport, VHCI_HC_PORTS); >> + >> return 1; >> } >> >> @@ -232,7 +239,7 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr, >> pdev_nr = port_to_pdev_nr(port); >> rhport = port_to_rhport(port); >> >> - if (!valid_port(pdev_nr, rhport)) >> + if (!valid_port(&pdev_nr, &rhport)) >> return -EINVAL; >> >> hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); >> @@ -258,7 +265,8 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr, >> } >> static DEVICE_ATTR_WO(detach); >> >> -static int valid_args(__u32 pdev_nr, __u32 rhport, enum usb_device_speed speed) >> +static int valid_args(__u32 *pdev_nr, __u32 *rhport, >> + enum usb_device_speed speed) >> { >> if (!valid_port(pdev_nr, rhport)) { >> return 0; >> @@ -322,7 +330,7 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, >> sockfd, devid, speed); >> >> /* check received parameters */ >> - if (!valid_args(pdev_nr, rhport, speed)) >> + if (!valid_args(&pdev_nr, &rhport, speed)) >> return -EINVAL; >> >> hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); >> > > Looks good to me. Thanks for taking care of this. > Glad to help. :) > Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org> > Thanks -- Gustavo -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c index 4880838..be37aec 100644 --- a/drivers/usb/usbip/vhci_sysfs.c +++ b/drivers/usb/usbip/vhci_sysfs.c @@ -10,6 +10,9 @@ #include <linux/platform_device.h> #include <linux/slab.h> +/* Hardening for Spectre-v1 */ +#include <linux/nospec.h> + #include "usbip_common.h" #include "vhci.h" @@ -205,16 +208,20 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) return 0; } -static int valid_port(__u32 pdev_nr, __u32 rhport) +static int valid_port(__u32 *pdev_nr, __u32 *rhport) { - if (pdev_nr >= vhci_num_controllers) { - pr_err("pdev %u\n", pdev_nr); + if (*pdev_nr >= vhci_num_controllers) { + pr_err("pdev %u\n", *pdev_nr); return 0; } - if (rhport >= VHCI_HC_PORTS) { - pr_err("rhport %u\n", rhport); + *pdev_nr = array_index_nospec(*pdev_nr, vhci_num_controllers); + + if (*rhport >= VHCI_HC_PORTS) { + pr_err("rhport %u\n", *rhport); return 0; } + *rhport = array_index_nospec(*rhport, VHCI_HC_PORTS); + return 1; } @@ -232,7 +239,7 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr, pdev_nr = port_to_pdev_nr(port); rhport = port_to_rhport(port); - if (!valid_port(pdev_nr, rhport)) + if (!valid_port(&pdev_nr, &rhport)) return -EINVAL; hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); @@ -258,7 +265,8 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr, } static DEVICE_ATTR_WO(detach); -static int valid_args(__u32 pdev_nr, __u32 rhport, enum usb_device_speed speed) +static int valid_args(__u32 *pdev_nr, __u32 *rhport, + enum usb_device_speed speed) { if (!valid_port(pdev_nr, rhport)) { return 0; @@ -322,7 +330,7 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, sockfd, devid, speed); /* check received parameters */ - if (!valid_args(pdev_nr, rhport, speed)) + if (!valid_args(&pdev_nr, &rhport, speed)) return -EINVAL; hcd = platform_get_drvdata(vhcis[pdev_nr].pdev);
pdev_nr and rhport can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis' drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis' drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev' drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev' Fix this by sanitizing pdev_nr and rhport before using them to index vhcis and vhci->vhci_hcd_ss->vdev respectively. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> --- Changes in v3: - Pass the addresses of pdev_nr and rhport into valid_port and valid_args. Changes in v2: - Place the barriers into valid_port. drivers/usb/usbip/vhci_sysfs.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-)