From patchwork Tue Jul 10 18:06:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 141650 Delivered-To: patch@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp4208054ljj; Tue, 10 Jul 2018 11:23:33 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfnvpn9KclQ9ZOuQizaE+RB+qL7ggYxQ1QG0AJy8PXcQm3ShndWyVBGaLlNXePbgyMuGOh2 X-Received: by 2002:a62:1e81:: with SMTP id e123-v6mr26590435pfe.188.1531247012896; Tue, 10 Jul 2018 11:23:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531247012; cv=none; d=google.com; s=arc-20160816; b=zcj5ZaEJ0Szq/XDIWmMJnz/elLaBGo8VBIJb9hE/1dP/TGEnPeHMDJpzsdLTXqhfQI zAE1HBNnhr4annvZfuQ9p5JQCfMavS19eiTL/L+ETPCO6eaJtz912zhd0C7iKv4yUI8v b4zaRBgNa97VlrU/qV2TS3ozzeZYjkUncQ/nhgQy0Xkf7v3SyXU9Z9JVO3bMAkw8aVeE nEJmHf0kkYvUog7BiX1al04lBeQHyymD2unPVBMJXvSAMhNkp6bvylgzHpuLvnjbreew oFdM36mpR35Dv5m+puJjy59ZhwLp6Tiomy2Kt/9ltapQyrFN7StUlNXb1uXIty1mKrE2 4Smw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=i6EutXy6WCLq4cluFa92o5B0/SBwggE3p2gBy086htc=; b=QJAL5djOf0Ff4NFUeqT43Gbus4O65aUl90nPJqUurMobf0k0x/zTuoWScbwTaUjy5g HMoNJE0+/9EKwOXxbd1xkMz4OV7kQ7AHZzkgAiX8VAt7ZSTlLtGviRNqh/MCJAKtsFFL mt9SdNsl/z/AtGVR1b8bPJfc9EeSD+HT/yEA3Fo0qz5JfpTNYmmara2dxEP8epsJrGEv rwk7NsfGAqx63SN2xpxR0zfLMlnBnMvhqDlM+5PgTXVoJYOM8WcNhImdsqdoNAwDtsj0 5gjYY34CZdTanQr1ftTFIClQBLyLbkCqIlhlW66+qYFuXchpRkCBgDQhYrHgYUF60UT4 LGpQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g2-v6si17057791plp.233.2018.07.10.11.23.32; Tue, 10 Jul 2018 11:23:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732482AbeGJSXj (ORCPT + 18 others); Tue, 10 Jul 2018 14:23:39 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:51684 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732266AbeGJSXj (ORCPT ); Tue, 10 Jul 2018 14:23:39 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 40EC81DC8; Tue, 10 Jul 2018 11:06:16 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 536C93F589; Tue, 10 Jul 2018 11:06:15 -0700 (PDT) From: Mark Rutland To: linux-kernel@vger.kernel.org Cc: Mark Rutland , Peter Zijlstra , Ingo Molnar Subject: [PATCH] perf/core: fix possible spectre-v1 write Date: Tue, 10 Jul 2018 19:06:07 +0100 Message-Id: <20180710180607.56624-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org It's possible for userspace to control event_id. Sanitize event_id when using it as an array index, to inhibit the potential spectre-v1 write gadget. This class of issue is also known as CVE-2018-3693, or "bounds check bypass store". Found by smatch. Signed-off-by: Mark Rutland Cc: Peter Zijlstra Cc: Ingo Molnar --- kernel/events/core.c | 2 ++ 1 file changed, 2 insertions(+) For Arm CPUs, more details can be found in the Arm Cache Speculation Side-channels whitepaper, available from the Arm security updates site [1]. Mark. [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability -- 2.11.0 diff --git a/kernel/events/core.c b/kernel/events/core.c index 8f0434a9951a..eece719bd18e 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -8155,6 +8155,7 @@ struct static_key perf_swevent_enabled[PERF_COUNT_SW_MAX]; static void sw_perf_event_destroy(struct perf_event *event) { u64 event_id = event->attr.config; + event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX); WARN_ON(event->parent); @@ -8186,6 +8187,7 @@ static int perf_swevent_init(struct perf_event *event) if (event_id >= PERF_COUNT_SW_MAX) return -ENOENT; + event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX); if (!event->parent) { int err;