git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Mark Rutland <mark.rutland@arm.com>
	Tue, 10 Jul 2018 18:01:23 +0000 (19:01 +0100)
committer	Stefan Bader <stefan.bader@canonical.com>
	Wed, 24 Apr 2019 08:09:06 +0000 (10:09 +0200)
commit	d32b9e71dd57ecc19ffbbf2b6b1fe308ab5c523b
tree	938423e0e461015f35c885f22d50209b84869972	tree
parent	cfb2ecd7895f554b4fc30c790553d79b57a9354d	commit \| diff

KVM: arm/arm64: vgic: Fix possible spectre-v1 write in vgic_mmio_write_apr()

It's possible for userspace to control n. Sanitize n when using it as an
array index, to inhibit the potential spectre-v1 write gadget.

Note that while it appears that n must be bound to the interval [0,3]
due to the way it is extracted from addr, we cannot guarantee that
compiler transformations (and/or future refactoring) will ensure this is
the case, and given this is a slow path it's better to always perform
the masking.

Found by smatch.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Christoffer Dall <christoffer.dall@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: kvmarm@lists.cs.columbia.edu
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
CVE-2017-5753

(cherry picked from commit 6b8b9a48545e08345b8ff77c9fd51b1aebdbefb3)
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>