[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b1d114af-c0ba-63f5-0905-86128d3c0b3a@cogentembedded.com>
Date: Sat, 6 Jan 2018 13:03:22 +0300
From: Sergei Shtylyov <sergei.shtylyov@...entembedded.com>
To: Dan Williams <dan.j.williams@...el.com>,
linux-kernel@...r.kernel.org
Cc: linux-arch@...r.kernel.org, gregkh@...uxfoundation.org,
peterz@...radead.org, netdev@...r.kernel.org,
Eduardo Valentin <edubezval@...il.com>,
Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>,
Zhang Rui <rui.zhang@...el.com>, torvalds@...ux-foundation.org,
tglx@...utronix.de, Elena Reshetova <elena.reshetova@...el.com>,
alan@...ux.intel.com
Subject: Re: [PATCH 12/18] Thermal/int340x: prevent bounds-check bypass via
speculative execution
On 1/6/2018 4:10 AM, Dan Williams wrote:
> Static analysis reports that 'trip' may be a user controlled value that
> is used as a data dependency to read '*temp' from the 'd->aux_trips'
> array. In order to avoid potential leaks of kernel memory values, block
> speculative execution of the instruction stream that could issue reads
> based on an invalid value of '*temp'.
>
> Based on an original patch by Elena Reshetova.
>
> Cc: Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>
> Cc: Zhang Rui <rui.zhang@...el.com>
> Cc: Eduardo Valentin <edubezval@...il.com>
> Signed-off-by: Elena Reshetova <elena.reshetova@...el.com>
> Signed-off-by: Dan Williams <dan.j.williams@...el.com>
> ---
> .../thermal/int340x_thermal/int340x_thermal_zone.c | 14 ++++++++------
> 1 file changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
> index 145a5c53ff5c..442a1d9bf7ad 100644
> --- a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
> +++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
[...]
> @@ -52,20 +53,21 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone,
> int trip, int *temp)
> {
> struct int34x_thermal_zone *d = zone->devdata;
> + unsigned long *elem;
> int i;
>
> if (d->override_ops && d->override_ops->get_trip_temp)
> return d->override_ops->get_trip_temp(zone, trip, temp);
>
> - if (trip < d->aux_trip_nr)
> - *temp = d->aux_trips[trip];
> - else if (trip == d->crt_trip_id)
> + if ((elem = nospec_array_ptr(d->aux_trips, trip, d->aux_trip_nr))) {
And here...
> + *temp = *elem;
> + } else if (trip == d->crt_trip_id) {
> *temp = d->crt_temp;
> - else if (trip == d->psv_trip_id)
> + } else if (trip == d->psv_trip_id) {
> *temp = d->psv_temp;
> - else if (trip == d->hot_trip_id)
> + } else if (trip == d->hot_trip_id) {
> *temp = d->hot_temp;
> - else {
> + } else {
> for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) {
> if (d->act_trips[i].valid &&
> d->act_trips[i].id == trip) {
MBR, Sergei
Powered by blists - more mailing lists