[PATCHv3] habanalabs: fix potential spectre v1 gadgets
From: Jordy Zomer
Date: Wed Feb 02 2022 - 14:11:20 EST
It appears like nr could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents of kernel memory
being leaked to userspace via speculative execution by using
array_index_nospec.
Signed-off-by: Jordy Zomer <jordy@pwning.systems>
---
Changes v1 -> v2: Added the correct offsets
Changes v2 -> v3: Fixed line-wrapping
---
drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
index 3ba3a8ffda3e..c1cdf712a10d 100644
--- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
+++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
@@ -14,6 +14,7 @@
#include <linux/fs.h>
#include <linux/uaccess.h>
#include <linux/slab.h>
+#include <linux/nospec.h>
static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = {
[HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr),
@@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
}
if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
+ nr = array_index_nospec(nr, HL_COMMAND_END);
ioctl = &hl_ioctls[nr];
} else {
dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
@@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
}
if (nr == _IOC_NR(HL_IOCTL_INFO)) {
+ nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO)+1);
ioctl = &hl_ioctls_control[nr];
} else {
dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
--
2.27.0