[PATCH] powerpc/kernel: Fix potential spectre v1 in syscall
Michael Ellerman
mpe at ellerman.id.au
Tue Mar 12 22:07:54 AEDT 2024
Breno Leitao <leitao at debian.org> writes:
> On Tue, Mar 12, 2024 at 08:17:42AM +0000, Christophe Leroy wrote:
>> +Nathan as this is RTAS related.
>>
>> Le 21/08/2018 à 20:42, Breno Leitao a écrit :
>> > The rtas syscall reads a value from a user-provided structure and uses it
>> > to index an array, being a possible area for a potential spectre v1 attack.
>> > This is the code that exposes this problem.
>> >
>> > args.rets = &args.args[nargs];
>> >
>> > The nargs is an user provided value, and the below code is an example where
>> > the 'nargs' value would be set to XX.
>> >
>> > struct rtas_args ra;
>> > ra.nargs = htobe32(XX);
>> > syscall(__NR_rtas, &ra);
>>
>>
>> This patch has been hanging around in patchwork since 2018 and doesn't
>> apply anymore. Is it still relevant ? If so, can you rebase et resubmit ?
>
> This seems to be important, since nargs is a user-provided value. I can
> submit it if the maintainers are willing to accept. I do not want to
> spend my time if no one is willing to review it.
My memory is that I didn't think it was actually a problem, because all
we do is memset args.rets to zero. I thought I'd talked to you on Slack
about it, but maybe I didn't.
Anyway we should probably just fix it to be safe and keep the static
checkers happy.
I'll rebase it and apply it, I'm sure you've got better things to do :)
cheers
More information about the Linuxppc-dev
mailing list