Re: [PATCH 1/1] cdrom: Fix spectre-v1 gadget
From: Phillip Potter
Date: Sat Jun 10 2023 - 15:10:33 EST
On Fri, Jun 09, 2023 at 01:13:55PM +0000, Jordy Zomer wrote:
> This patch fixes a spectre-v1 gadget in cdrom.
> The gadget could be triggered by,
> speculatviely bypassing the cdi->capacity check.
>
> Signed-off-by: Jordy Zomer <jordyzomer@xxxxxxxxxx>
> ---
> drivers/cdrom/cdrom.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> index 416f723a2dbb..3c349bc0a269 100644
> --- a/drivers/cdrom/cdrom.c
> +++ b/drivers/cdrom/cdrom.c
> @@ -233,6 +233,7 @@
>
> -------------------------------------------------------------------------*/
>
> +#include "asm/barrier.h"
> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>
> #define REVISION "Revision: 3.20"
> @@ -2329,6 +2330,8 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
> if (arg >= cdi->capacity)
> return -EINVAL;
>
> + arg = array_index_mask_nospec(arg, cdi->capacity);
> +
> info = kmalloc(sizeof(*info), GFP_KERNEL);
> if (!info)
> return -ENOMEM;
> --
> 2.41.0.162.gfafddb0af9-goog
>
Hi Jordy,
Thanks for the patch, much appreciated. Sadly, as Pawan has already
pointed out, array_index_mask_nospec actually changes the behaviour of
this function, such that 'arg' would no longer be an array index.
In addition, it seems to have triggered the kernel test robot with an
alpha build error.
Regards,
Phil