lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Jul 2019 18:52:12 -0500 From: "Gustavo A. R. Silva" <gustavo@...eddedor.com> To: Tony Luck <tony.luck@...el.com>, Doug Ledford <dledford@...hat.com> Cc: Jason Gunthorpe <jgg@...pe.ca>, Leon Romanovsky <leon@...nel.org>, Parav Pandit <parav@...lanox.com>, Ira Weiny <ira.weiny@...el.com>, linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] IB/core: Add mitigation for Spectre V1 On 7/30/19 3:24 PM, Tony Luck wrote: > Some processors may mispredict an array bounds check and > speculatively access memory that they should not. With > a user supplied array index we like to play things safe > by masking the value with the array size before it is > used as an index. > > Signed-off-by: Tony Luck <tony.luck@...el.com> > --- > > [I don't have h/w, so just compile tested] > > drivers/infiniband/core/user_mad.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c > index 9f8a48016b41..fdce254e4f65 100644 > --- a/drivers/infiniband/core/user_mad.c > +++ b/drivers/infiniband/core/user_mad.c > @@ -49,6 +49,7 @@ > #include <linux/sched.h> > #include <linux/semaphore.h> > #include <linux/slab.h> > +#include <linux/nospec.h> > > #include <linux/uaccess.h> > > @@ -888,6 +889,7 @@ static int ib_umad_unreg_agent(struct ib_umad_file *file, u32 __user *arg) > mutex_lock(&file->port->file_mutex); > mutex_lock(&file->mutex); > > + id = array_index_nospec(id, IB_UMAD_MAX_AGENTS); This is wrong. This prevents the below condition id >= IB_UMAD_MAX_AGENTS from ever being true. And I don't think this is what you want. > if (id >= IB_UMAD_MAX_AGENTS || !__get_agent(file, id)) { > ret = -EINVAL; > goto out; > -- Gustavo
Powered by blists - more mailing lists