| From foo@baz Mon Sep 17 12:33:31 CEST 2018 |
| From: Jinbum Park <jinb.park7@gmail.com> |
| Date: Sat, 28 Jul 2018 13:20:44 +0900 |
| Subject: pktcdvd: Fix possible Spectre-v1 for pkt_devs |
| |
| From: Jinbum Park <jinb.park7@gmail.com> |
| |
| [ Upstream commit 55690c07b44a82cc3359ce0c233f4ba7d80ba145 ] |
| |
| User controls @dev_minor which to be used as index of pkt_devs. |
| So, It can be exploited via Spectre-like attack. (speculative execution) |
| |
| This kind of attack leaks address of pkt_devs, [1] |
| It leads an attacker to bypass security mechanism such as KASLR. |
| |
| So sanitize @dev_minor before using it to prevent attack. |
| |
| [1] https://github.com/jinb-park/linux-exploit/ |
| tree/master/exploit-remaining-spectre-gadget/leak_pkt_devs.c |
| |
| Signed-off-by: Jinbum Park <jinb.park7@gmail.com> |
| Signed-off-by: Jens Axboe <axboe@kernel.dk> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/block/pktcdvd.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/block/pktcdvd.c |
| +++ b/drivers/block/pktcdvd.c |
| @@ -67,7 +67,7 @@ |
| #include <scsi/scsi.h> |
| #include <linux/debugfs.h> |
| #include <linux/device.h> |
| - |
| +#include <linux/nospec.h> |
| #include <linux/uaccess.h> |
| |
| #define DRIVER_NAME "pktcdvd" |
| @@ -2231,6 +2231,8 @@ static struct pktcdvd_device *pkt_find_d |
| { |
| if (dev_minor >= MAX_WRITERS) |
| return NULL; |
| + |
| + dev_minor = array_index_nospec(dev_minor, MAX_WRITERS); |
| return pkt_devs[dev_minor]; |
| } |
| |
