git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Gustavo A. R. Silva <gustavo@embeddedor.com>
	Wed, 9 Jan 2019 19:02:36 +0000 (13:02 -0600)
committer	Stefan Bader <stefan.bader@canonical.com>
	Wed, 24 Apr 2019 08:09:12 +0000 (10:09 +0200)
commit	f8c94aae707dc0ef5d9df372f594d6c4e80d705b
tree	2ffefb6e16caf2bb4935cffe98d78b327d7d3fea	tree
parent	fa846ea5cdae1a68e96a7f3e35d8b17ab23cce35	commit \| diff

char/mwave: fix potential Spectre v1 vulnerability

ipcnum is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/char/mwave/mwavedd.c:299 mwave_ioctl() warn: potential spectre issue 'pDrvData->IPCs' [w] (local cap)

Fix this by sanitizing ipcnum before using it to index pDrvData->IPCs.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CVE-2017-5753

(cherry picked from commit 701956d4018e5d5438570e39e8bda47edd32c489)
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>