releases/4.4.175/drm-bufs-fix-spectre-v1-vulnerability.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From c9c8e4384dd822b463b8df56f8e415f265fd3c05 Mon Sep 17 00:00:00 2001
 From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
 Date: Tue, 16 Oct 2018 11:55:49 +0200
 Subject: drm/bufs: Fix Spectre v1 vulnerability

 [ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ]

 idx can be indirectly controlled by user-space, hence leading to a
 potential exploitation of the Spectre variant 1 vulnerability.

 This issue was detected with the help of Smatch:

 drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential
 spectre issue 'dma->buflist' [r] (local cap)

 Fix this by sanitizing idx before using it to index dma->buflist

 Notice that given that speculation windows are large, the policy is
 to kill the speculation on the first load and not worry if it can be
 completed with a dependent load/store [1].

 [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

 Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
 Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
 Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/gpu/drm/drm_bufs.c | 3 +++
  1 file changed, 3 insertions(+)

 diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
 index f1a204d253cc..ac22b8d86249 100644
 --- a/drivers/gpu/drm/drm_bufs.c
 +++ b/drivers/gpu/drm/drm_bufs.c
 @@ -36,6 +36,8 @@
  #include <drm/drmP.h>
  #include "drm_legacy.h"

 +#include <linux/nospec.h>
 +
  static struct drm_map_list *drm_find_matching_map(struct drm_device *dev,
  						  struct drm_local_map *map)
  {
 @@ -1332,6 +1334,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data,
  				  idx, dma->buf_count - 1);
  			return -EINVAL;
  		}
 +		idx = array_index_nospec(idx, dma->buf_count);
  		buf = dma->buflist[idx];
  		if (buf->file_priv != file_priv) {
  			DRM_ERROR("Process %d freeing buffer not owned\n",
 --
 2.19.1
	From c9c8e4384dd822b463b8df56f8e415f265fd3c05 Mon Sep 17 00:00:00 2001
	From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
	Date: Tue, 16 Oct 2018 11:55:49 +0200
	Subject: drm/bufs: Fix Spectre v1 vulnerability

	[ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ]

	idx can be indirectly controlled by user-space, hence leading to a
	potential exploitation of the Spectre variant 1 vulnerability.

	This issue was detected with the help of Smatch:

	drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential
	spectre issue 'dma->buflist' [r] (local cap)

	Fix this by sanitizing idx before using it to index dma->buflist

	Notice that given that speculation windows are large, the policy is
	to kill the speculation on the first load and not worry if it can be
	completed with a dependent load/store [1].

	[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

	Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
	Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
	Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/gpu/drm/drm_bufs.c \| 3 +++
	1 file changed, 3 insertions(+)

	diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
	index f1a204d253cc..ac22b8d86249 100644
	--- a/drivers/gpu/drm/drm_bufs.c
	+++ b/drivers/gpu/drm/drm_bufs.c
	@@ -36,6 +36,8 @@
	#include <drm/drmP.h>
	#include "drm_legacy.h"

	+#include <linux/nospec.h>
	+
	static struct drm_map_list drm_find_matching_map(struct drm_device dev,
	struct drm_local_map *map)
	{
	@@ -1332,6 +1334,7 @@ int drm_legacy_freebufs(struct drm_device dev, void data,
	idx, dma->buf_count - 1);
	return -EINVAL;
	}
	+ idx = array_index_nospec(idx, dma->buf_count);
	buf = dma->buflist[idx];
	if (buf->file_priv != file_priv) {
	DRM_ERROR("Process %d freeing buffer not owned\n",
	--
	2.19.1