| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Feb 2022 21:01:14 +0000
From: Andrew Cooper <Andrew.Cooper3@...rix.com>
To: Jordy Zomer <jordy@...ing.systems>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: Oded Gabbay <ogabbay@...nel.org>, Arnd Bergmann <arnd@...db.de>,
"Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
Ofir Bitton <obitton@...ana.ai>,
Dani Liberman <dliberman@...ana.ai>,
Yuri Nudelman <ynudelman@...ana.ai>,
Sagiv Ozeri <sozeri@...ana.ai>, Koby Elbaz <kelbaz@...ana.ai>,
farah kassabri <fkassabri@...ana.ai>
Subject: Re: [PATCHv3] habanalabs: fix potential spectre v1 gadgets
On 02/02/2022 19:11, Jordy Zomer wrote:
> diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> index 3ba3a8ffda3e..c1cdf712a10d 100644
> --- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> +++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> @@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
> }
>
> if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
> + nr = array_index_nospec(nr, HL_COMMAND_END);
> ioctl = &hl_ioctls[nr];
> } else {
> dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
> @@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
> }
>
> if (nr == _IOC_NR(HL_IOCTL_INFO)) {
> + nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO)+1);
> ioctl = &hl_ioctls_control[nr];
> } else {
> dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
Sorry for jumping in the middle here, but array_index_nospec() is
finicky to use, and both examples here don't quite behave as intended.
(In reverse order), first, any competent compiler will turn:
if (nr == _IOC_NR(HL_IOCTL_INFO)) {
ioctl = &hl_ioctls_control[nr];
into
ioctl = &hl_ioctls_control[_IOC_NR(HL_IOCTL_INFO)];
which can be evaluated at compile time without reference to nr. By
using array_index_nospec(), you inhibit this optimisation, forcing the
load to be dependent on nr, and with the extra logic to try and make nr
be safe.
Second, array_index_nospec(nr, HL_COMMAND_END); only protects the upper
bound. In this case, the valid lower bound is not zero.
i.e. while you've prevented an OoB read of the hl_ioctls[] array as a
whole, there is still a Spectre-v1 gadget where you can speculatively
continue using &hl_ioctls[0] which is out of bounds from the logic's
point of view.
One fix is to use:
nr = HL_COMMAND_START +
array_index_nospec(nr, HL_COMMAND_END - HL_COMMAND_START);
while another is to confirm that the subsequent logic is safe to
confused-deputy problems. This analysis probably needs doing anyway as
there are multiple ioctl implementations that can be selected.
~Andrew
Powered by blists - more mailing lists