| From 92c4cfaee6872038563c5b6f2e8e613f9d84d47d Mon Sep 17 00:00:00 2001 |
| From: Jordy Zomer <jordy@pwning.systems> |
| Date: Sat, 29 Jan 2022 16:06:04 +0100 |
| Subject: dma-buf: heaps: Fix potential spectre v1 gadget |
| |
| From: Jordy Zomer <jordy@pwning.systems> |
| |
| commit 92c4cfaee6872038563c5b6f2e8e613f9d84d47d upstream. |
| |
| It appears like nr could be a Spectre v1 gadget as it's supplied by a |
| user and used as an array index. Prevent the contents |
| of kernel memory from being leaked to userspace via speculative |
| execution by using array_index_nospec. |
| |
| Signed-off-by: Jordy Zomer <jordy@pwning.systems> |
| Fixes: c02a81fba74f ("dma-buf: Add dma-buf heaps framework") |
| Cc: <stable@vger.kernel.org> # v5.6+ |
| Acked-by: John Stultz <john.stultz@linaro.org> |
| Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org> |
| [sumits: added fixes and cc: stable tags] |
| Link: https://patchwork.freedesktop.org/patch/msgid/20220129150604.3461652-1-jordy@pwning.systems |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/dma-buf/dma-heap.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/drivers/dma-buf/dma-heap.c |
| +++ b/drivers/dma-buf/dma-heap.c |
| @@ -14,6 +14,7 @@ |
| #include <linux/xarray.h> |
| #include <linux/list.h> |
| #include <linux/slab.h> |
| +#include <linux/nospec.h> |
| #include <linux/uaccess.h> |
| #include <linux/syscalls.h> |
| #include <linux/dma-heap.h> |
| @@ -123,6 +124,7 @@ static long dma_heap_ioctl(struct file * |
| if (nr >= ARRAY_SIZE(dma_heap_ioctl_cmds)) |
| return -EINVAL; |
| |
| + nr = array_index_nospec(nr, ARRAY_SIZE(dma_heap_ioctl_cmds)); |
| /* Get the kernel ioctl cmd that matches */ |
| kcmd = dma_heap_ioctl_cmds[nr]; |
| |