summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZhen Chen <chenzhen@rock-chips.com>2019-04-01 16:41:07 +0800
committerGuochun Huang <hero.huang@rock-chips.com>2019-04-12 15:26:40 +0800
commit1d7e0109221e4676f2a75f294531ce3f7bab8fbb (patch)
tree584240bc026855f8e19833791ba20df6c267e6c3
parent81624807282fdb6a2e8cea1a83060ec6b5391eed (diff)
Mali: midgard: fix Spectre v1 vulnerability
user_atom.atom_number can be indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/gpu/arm/midgard/mali_kbase_jd.c:1397 kbase_jd_submit() warn: potential spectre issue 'jctx->atoms' [r] katom = &jctx->atoms[user_atom.atom_number]; Fix this by sanitizing user_atom.atom_number before 'katom = &jctx->atoms[user_atom.atom_number];'. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Fixes: 5cf27d0b6090 ("Mali: midgard: changes to enlarge BASE_JD_ATOM_COUNT to 512, for defect 184210") Change-Id: If52f30d29a80a06c6693ddadd5947ab9fe8fbc25 Signed-off-by: Zhen Chen <chenzhen@rock-chips.com>
-rw-r--r--drivers/gpu/arm/midgard/mali_kbase_jd.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/gpu/arm/midgard/mali_kbase_jd.c b/drivers/gpu/arm/midgard/mali_kbase_jd.c
index 25c768a5ca07..68bfa3bedef8 100644
--- a/drivers/gpu/arm/midgard/mali_kbase_jd.c
+++ b/drivers/gpu/arm/midgard/mali_kbase_jd.c
@@ -28,6 +28,7 @@
#include <linux/random.h>
#include <linux/version.h>
#include <linux/ratelimit.h>
+#include <linux/nospec.h>
#include <mali_kbase_jm.h>
#include <mali_kbase_hwaccess_jm.h>
@@ -1394,6 +1395,13 @@ while (false)
#undef compiletime_assert
#undef compiletime_assert_defined
#endif
+ if (user_atom.atom_number >= BASE_JD_ATOM_COUNT) {
+ err = -EINVAL;
+ break;
+ }
+ user_atom.atom_number =
+ array_index_nospec(user_atom.atom_number,
+ BASE_JD_ATOM_COUNT);
katom = &jctx->atoms[user_atom.atom_number];
/* Record the flush ID for the cache flush optimisation */