lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 6 Jan 2018 13:03:22 +0300
From:   Sergei Shtylyov <sergei.shtylyov@...entembedded.com>
To:     Dan Williams <dan.j.williams@...el.com>,
        linux-kernel@...r.kernel.org
Cc:     linux-arch@...r.kernel.org, gregkh@...uxfoundation.org,
        peterz@...radead.org, netdev@...r.kernel.org,
        Eduardo Valentin <edubezval@...il.com>,
        Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>,
        Zhang Rui <rui.zhang@...el.com>, torvalds@...ux-foundation.org,
        tglx@...utronix.de, Elena Reshetova <elena.reshetova@...el.com>,
        alan@...ux.intel.com
Subject: Re: [PATCH 12/18] Thermal/int340x: prevent bounds-check bypass via
 speculative execution

On 1/6/2018 4:10 AM, Dan Williams wrote:

> Static analysis reports that 'trip' may be a user controlled value that
> is used as a data dependency to read '*temp' from the 'd->aux_trips'
> array.  In order to avoid potential leaks of kernel memory values, block
> speculative execution of the instruction stream that could issue reads
> based on an invalid value of '*temp'.
> 
> Based on an original patch by Elena Reshetova.
> 
> Cc: Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>
> Cc: Zhang Rui <rui.zhang@...el.com>
> Cc: Eduardo Valentin <edubezval@...il.com>
> Signed-off-by: Elena Reshetova <elena.reshetova@...el.com>
> Signed-off-by: Dan Williams <dan.j.williams@...el.com>
> ---
>   .../thermal/int340x_thermal/int340x_thermal_zone.c |   14 ++++++++------
>   1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
> index 145a5c53ff5c..442a1d9bf7ad 100644
> --- a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
> +++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
[...]
> @@ -52,20 +53,21 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone,
>   					 int trip, int *temp)
>   {
>   	struct int34x_thermal_zone *d = zone->devdata;
> +	unsigned long *elem;
>   	int i;
>   
>   	if (d->override_ops && d->override_ops->get_trip_temp)
>   		return d->override_ops->get_trip_temp(zone, trip, temp);
>   
> -	if (trip < d->aux_trip_nr)
> -		*temp = d->aux_trips[trip];
> -	else if (trip == d->crt_trip_id)
> +	if ((elem = nospec_array_ptr(d->aux_trips, trip, d->aux_trip_nr))) {

    And here...

> +		*temp = *elem;
> +	} else if (trip == d->crt_trip_id) {
>   		*temp = d->crt_temp;
> -	else if (trip == d->psv_trip_id)
> +	} else if (trip == d->psv_trip_id) {
>   		*temp = d->psv_temp;
> -	else if (trip == d->hot_trip_id)
> +	} else if (trip == d->hot_trip_id) {
>   		*temp = d->hot_temp;
> -	else {
> +	} else {
>   		for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) {
>   			if (d->act_trips[i].valid &&
>   			    d->act_trips[i].id == trip) {

MBR, Sergei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ