git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Breno Leitao <leitao@debian.org>
	Wed, 30 Jan 2019 12:46:00 +0000 (10:46 -0200)
committer	Stefan Bader <stefan.bader@canonical.com>
	Wed, 24 Apr 2019 08:09:12 +0000 (10:09 +0200)
commit	3ea20817874764ac20b0fc12a152524f2f067ed5
tree	99ad2f078e2046bded5cd1251040d5eb06efa40d	tree
parent	6c03b0aeab58eeb2abafb425fba3beeef1a400f5	commit \| diff

powerpc/ptrace: Mitigate potential Spectre v1

'regno' is directly controlled by user space, hence leading to a potential
exploitation of the Spectre variant 1 vulnerability.

On PTRACE_SETREGS and PTRACE_GETREGS requests, user space passes the
register number that would be read or written. This register number is
called 'regno' which is part of the 'addr' syscall parameter.

This 'regno' value is checked against the maximum pt_regs structure size,
and then used to dereference it, which matches the initial part of a
Spectre v1 (and Spectre v1.1) attack. The dereferenced value, then,
is returned to userspace in the GETREGS case.

This patch sanitizes 'regno' before using it to dereference pt_reg.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
CVE-2017-5753

(backported from commit ebb0e13ead2ddc186a80b1b0235deeefc5a1a667)
[juergh: Adjusted context.]
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>