| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Jul 2018 16:53:20 -0400
From: Alex Deucher <alexdeucher@...il.com>
To: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
Cc: Alex Deucher <alexander.deucher@....com>,
Christian König <christian.koenig@....com>,
"David (ChunMing) Zhou" <David1.Zhou@....com>,
David Airlie <airlied@...ux.ie>,
Maling list - DRI developers
<dri-devel@...ts.freedesktop.org>,
amd-gfx list <amd-gfx@...ts.freedesktop.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] drm/amdgpu/pm: Fix potential Spectre v1
On Mon, Jul 23, 2018 at 12:32 PM, Gustavo A. R. Silva
<gustavo@...eddedor.com> wrote:
> idx can be indirectly controlled by user-space, hence leading to a
> potential exploitation of the Spectre variant 1 vulnerability.
>
> This issue was detected with the help of Smatch:
>
> drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c:408 amdgpu_set_pp_force_state()
> warn: potential spectre issue 'data.states'
>
> Fix this by sanitizing idx before using it to index data.states
Is this actually necessary? We already check that idx is valid a few
lines before:
if (ret || idx >= ARRAY_SIZE(data.states)) {
count = -EINVAL;
goto fail;
}
Alex
>
> Notice that given that speculation windows are large, the policy is
> to kill the speculation on the first load and not worry if it can be
> completed with a dependent load/store [1].
>
> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
>
> Cc: stable@...r.kernel.org
> Signed-off-by: Gustavo A. R. Silva <gustavo@...eddedor.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
> index 15a1192..a446c7c 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
> @@ -31,7 +31,7 @@
> #include <linux/power_supply.h>
> #include <linux/hwmon.h>
> #include <linux/hwmon-sysfs.h>
> -
> +#include <linux/nospec.h>
>
> static int amdgpu_debugfs_pm_init(struct amdgpu_device *adev);
>
> @@ -403,6 +403,7 @@ static ssize_t amdgpu_set_pp_force_state(struct device *dev,
> count = -EINVAL;
> goto fail;
> }
> + idx = array_index_nospec(idx, ARRAY_SIZE(data.states));
>
> amdgpu_dpm_get_pp_num_states(adev, &data);
> state = data.states[idx];
> --
> 2.7.4
>
> _______________________________________________
> amd-gfx mailing list
> amd-gfx@...ts.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx
Powered by blists - more mailing lists