]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit
projects / mirror_ubuntu-bionic-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f3834b8) | patch
mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom
authorJinbum Park <jinb.park7@gmail.com>
Tue, 31 Jul 2018 14:10:40 +0000 (23:10 +0900)
committerStefan Bader <stefan.bader@canonical.com>
Wed, 24 Apr 2019 08:09:08 +0000 (10:09 +0200)
commit6660dd2fa9e6850f71ed0dea09c461ccd48079c9
treec2bbac8d7b12636bc8745a2875c194cd28e0818dtree
parentf3834b8500c5a1f294cab4cc03c263fd93ed928ecommit | diff
mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom

User controls @idx which to be used as index of hwsim_world_regdom_custom.
So, It can be exploited via Spectre-like attack. (speculative execution)

This kind of attack leaks address of hwsim_world_regdom_custom,
It leads an attacker to bypass security mechanism such as KASLR.

So sanitize @idx before using it to prevent attack.

I leveraged strategy [1] to find and exploit this gadget.

[1] https://github.com/jinb-park/linux-exploit/tree/master/exploit-remaining-spectre-gadget/

Signed-off-by: Jinbum Park <jinb.park7@gmail.com>
[johannes: unwrap URL]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
CVE-2017-5753

(backported from commit 3a2af7cccbbaf2362db9053a946a6084e12bfa73)
[juergh: Adjusted context.]
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
drivers/net/wireless/mac80211_hwsim.c diff | blob | blame | history
ubuntu-bionic-kernel mirror