[PATCH] powerpc/kernel: Fix potential spectre v1 in syscall

[Christophe Leroy]

+Nathan as this is RTAS related.

Le 21/08/2018 à 20:42, Breno Leitao a écrit :
> The rtas syscall reads a value from a user-provided structure and uses it
> to index an array, being a possible area for a potential spectre v1 attack.
> This is the code that exposes this problem.
> 
> 	args.rets = &args.args[nargs];
> 
> The nargs is an user provided value, and the below code is an example where
> the 'nargs' value would be set to XX.
> 
> 	struct rtas_args ra;
> 	ra.nargs = htobe32(XX);
> 	syscall(__NR_rtas, &ra);


This patch has been hanging around in patchwork since 2018 and doesn't 
apply anymore. Is it still relevant ? If so, can you rebase et resubmit ?

Thanks
Christophe


> 
> Signed-off-by: Breno Leitao <leitao at debian.org>
> ---
>   arch/powerpc/kernel/rtas.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
> index 8afd146bc9c7..5ef3c863003d 100644
> --- a/arch/powerpc/kernel/rtas.c
> +++ b/arch/powerpc/kernel/rtas.c
> @@ -27,6 +27,7 @@
>   #include <linux/slab.h>
>   #include <linux/reboot.h>
>   #include <linux/syscalls.h>
> +#include <linux/nospec.h>
>   
>   #include <asm/prom.h>
>   #include <asm/rtas.h>
> @@ -1056,7 +1057,7 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
>   	struct rtas_args args;
>   	unsigned long flags;
>   	char *buff_copy, *errbuf = NULL;
> -	int nargs, nret, token;
> +	int index, nargs, nret, token;
>   
>   	if (!capable(CAP_SYS_ADMIN))
>   		return -EPERM;
> @@ -1084,7 +1085,8 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
>   	if (token == RTAS_UNKNOWN_SERVICE)
>   		return -EINVAL;
>   
> -	args.rets = &args.args[nargs];
> +	index = array_index_nospec(nargs, ARRAY_SIZE(args.args));
> +	args.rets = &args.args[index];
>   	memset(args.rets, 0, nret * sizeof(rtas_arg_t));
>   
>   	/* Need to handle ibm,suspend_me call specially */