Commit a0d6ec88 authored by Gustavo A. R. Silva's avatar Gustavo A. R. Silva Committed by Greg Kroah-Hartman

usbip: vhci_sysfs: fix potential Spectre v1

pdev_nr and rhport can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:
drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis'
drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis'
drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev'
drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev'

Fix this by sanitizing pdev_nr and rhport before using them to index
vhcis and vhci->vhci_hcd_ss->vdev respectively.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: default avatarShuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 4a014a73
...@@ -10,6 +10,9 @@ ...@@ -10,6 +10,9 @@
#include <linux/platform_device.h> #include <linux/platform_device.h>
#include <linux/slab.h> #include <linux/slab.h>
/* Hardening for Spectre-v1 */
#include <linux/nospec.h>
#include "usbip_common.h" #include "usbip_common.h"
#include "vhci.h" #include "vhci.h"
...@@ -205,16 +208,20 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport) ...@@ -205,16 +208,20 @@ static int vhci_port_disconnect(struct vhci_hcd *vhci_hcd, __u32 rhport)
return 0; return 0;
} }
static int valid_port(__u32 pdev_nr, __u32 rhport) static int valid_port(__u32 *pdev_nr, __u32 *rhport)
{ {
if (pdev_nr >= vhci_num_controllers) { if (*pdev_nr >= vhci_num_controllers) {
pr_err("pdev %u\n", pdev_nr); pr_err("pdev %u\n", *pdev_nr);
return 0; return 0;
} }
if (rhport >= VHCI_HC_PORTS) { *pdev_nr = array_index_nospec(*pdev_nr, vhci_num_controllers);
pr_err("rhport %u\n", rhport);
if (*rhport >= VHCI_HC_PORTS) {
pr_err("rhport %u\n", *rhport);
return 0; return 0;
} }
*rhport = array_index_nospec(*rhport, VHCI_HC_PORTS);
return 1; return 1;
} }
...@@ -232,7 +239,7 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr, ...@@ -232,7 +239,7 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr,
pdev_nr = port_to_pdev_nr(port); pdev_nr = port_to_pdev_nr(port);
rhport = port_to_rhport(port); rhport = port_to_rhport(port);
if (!valid_port(pdev_nr, rhport)) if (!valid_port(&pdev_nr, &rhport))
return -EINVAL; return -EINVAL;
hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); hcd = platform_get_drvdata(vhcis[pdev_nr].pdev);
...@@ -258,7 +265,8 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr, ...@@ -258,7 +265,8 @@ static ssize_t detach_store(struct device *dev, struct device_attribute *attr,
} }
static DEVICE_ATTR_WO(detach); static DEVICE_ATTR_WO(detach);
static int valid_args(__u32 pdev_nr, __u32 rhport, enum usb_device_speed speed) static int valid_args(__u32 *pdev_nr, __u32 *rhport,
enum usb_device_speed speed)
{ {
if (!valid_port(pdev_nr, rhport)) { if (!valid_port(pdev_nr, rhport)) {
return 0; return 0;
...@@ -322,7 +330,7 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr, ...@@ -322,7 +330,7 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr,
sockfd, devid, speed); sockfd, devid, speed);
/* check received parameters */ /* check received parameters */
if (!valid_args(pdev_nr, rhport, speed)) if (!valid_args(&pdev_nr, &rhport, speed))
return -EINVAL; return -EINVAL;
hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); hcd = platform_get_drvdata(vhcis[pdev_nr].pdev);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment