git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Gustavo A. R. Silva <gustavo@embeddedor.com>
	Tue, 17 Jul 2018 17:39:00 +0000 (12:39 -0500)
committer	Khalid Elmously <khalid.elmously@canonical.com>
	Wed, 6 Feb 2019 04:53:01 +0000 (04:53 +0000)
commit	f5788a7a403d0a62320e3320d70197a0199cbc49
tree	d66ccac9e1d3e3ae73d7a70b3b47682010ce7921	tree
parent	4bca0a2353d127a3ef5839b22ab85330fd27f806	commit \| diff

vfio/pci: Fix potential Spectre v1

BugLink: http://bugs.launchpad.net/bugs/1812229
commit 0e714d27786ce1fb3efa9aac58abc096e68b1c2a upstream.

info.index can be indirectly controlled by user-space, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/vfio/pci/vfio_pci.c:734 vfio_pci_ioctl()
warn: potential spectre issue 'vdev->region'

Fix this by sanitizing info.index before indirectly using it to index
vdev->region

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>