From patchwork Fri Jun 8 10:26:33 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Garry X-Patchwork-Id: 137945 Delivered-To: patch@linaro.org Received: by 2002:a2e:970d:0:0:0:0:0 with SMTP id r13-v6csp688743lji; Fri, 8 Jun 2018 03:27:59 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLvmO0vqxj+k98O7avQBrxm95hU8u6JXpkH+DgZZqEpQ9b8lvnsVEygjDcf8HPDXFkdcwVp X-Received: by 2002:a63:78c6:: with SMTP id t189-v6mr4779850pgc.239.1528453679774; Fri, 08 Jun 2018 03:27:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528453679; cv=none; d=google.com; s=arc-20160816; b=xxUs4Q+PdqD4r35WrKtimmLeE6RDeHsBfW2eLSUJaDIucveO4KJR2Pr7/22pYJHB+h CMBqiaK8IK1eAESYmrhrLoFtDZksVmlL2xukwEcyhfzXOfXWfv1xIADbfGWAUua8jakZ wsoJvm3Kl/Y+h5aDDil4cOqljENd9ggT7/8zkwVHu73JpMluAqWG258mgdvDJrHM7eMY MbzWupfz/HSeHjSNNcOZqasmF/0xbR0VhxGlmn77yKFJzk981vXJ0813fK17QMZl4jWK lyMlnm7UxVliVX4J8f6yCEv+e7u0sFW+fKqFgHcmRJ28Qvy5pJNw37pHrSR5vH4UiuLZ Q8Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=3Th0kUYAs91jUgHseiHpkKEtDx0sQVPqonehykDp7UI=; b=DUvKUC6IX8iiGoOe7GAipxQPP85EW2Db2hzxNlFOPO5Lwm2xaR0A4RHtLlr3qDBH4W UOLj8+0EhyWrIWf12EPUYAx5Wr3gEZXhHbv61UdIhgVaD4Gdcp65RJ7OkyMJ8lRMwxd8 FzTRKy9Ow1QX48sULR2kDev1qmmRJQtwYpkGJGrQ+xbIPWPLa6lMFtrJDwD8SSY9kY1L XubjSP03qpVUrhEcyS9O/VQzuCMyZGsO/75WolYhPbBQfRupyUWV1fNaW7VQQ3l9Cmq+ 4hYw+BclKk6NXBHL0Fq/G9M1IYDwp9EmY8TSGeBzTSC3ig7wWzzDVokAiOIOBPSUtIBk VrYg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t4-v6si56467982plb.313.2018.06.08.03.27.59; Fri, 08 Jun 2018 03:27:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752478AbeFHK14 (ORCPT + 30 others); Fri, 8 Jun 2018 06:27:56 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:8704 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751152AbeFHK1y (ORCPT ); Fri, 8 Jun 2018 06:27:54 -0400 Received: from DGGEMS413-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 976E049E2C96E; Fri, 8 Jun 2018 18:27:40 +0800 (CST) Received: from localhost.localdomain (10.67.212.75) by DGGEMS413-HUB.china.huawei.com (10.3.19.213) with Microsoft SMTP Server id 14.3.382.0; Fri, 8 Jun 2018 18:27:35 +0800 From: John Garry To: CC: , , , John Garry Subject: [PATCH] libahci: Fix possible Spectre-v1 pmp indexing in ahci_led_store() Date: Fri, 8 Jun 2018 18:26:33 +0800 Message-ID: <1528453593-225313-1-git-send-email-john.garry@huawei.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [10.67.212.75] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently smatch warns of possible Spectre-V1 issue in ahci_led_store(): drivers/ata/libahci.c:1150 ahci_led_store() warn: potential spectre issue 'pp->em_priv' (local cap) Userspace controls @pmp from following callchain: em_message->store() ->ata_scsi_em_message_store() -->ap->ops->em_store() --->ahci_led_store() After the mask+shift @pmp is effectively an 8b value, which is used to index into an array of length 8, so sanitize the array index. Signed-off-by: John Garry -- 1.9.1 diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c index 7adcf3c..4ce5bb4 100644 --- a/drivers/ata/libahci.c +++ b/drivers/ata/libahci.c @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -1142,10 +1143,12 @@ static ssize_t ahci_led_store(struct ata_port *ap, const char *buf, /* get the slot number from the message */ pmp = (state & EM_MSG_LED_PMP_SLOT) >> 8; - if (pmp < EM_MAX_SLOTS) + if (pmp < EM_MAX_SLOTS) { + pmp = array_index_nospec(pmp, EM_MAX_SLOTS); emp = &pp->em_priv[pmp]; - else + } else { return -EINVAL; + } /* mask off the activity bits if we are in sw_activity * mode, user should turn off sw_activity before setting