• Gustavo A. R. Silva's avatar
    HID: hiddev: fix potential Spectre v1 · 4f65245f
    Gustavo A. R. Silva authored
    uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be
    indirectly controlled by user-space, hence leading to a potential exploitation
    of the Spectre variant 1 vulnerability.
    
    This issue was detected with the help of Smatch:
    
    drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap)
    drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap)
    drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap)
    drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap)
    
    Fix this by sanitizing such structure fields before using them to index
    report->field, field->usage and hid->collection
    
    Notice that given that speculation windows are large, the policy is
    to kill the speculation on the first load and not worry if it can be
    completed with a dependent load/store [1].
    
    [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
    Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
    4f65245f
hiddev.c 22.9 KB