forked from luck/tmp_suning_uos_patched
a0d6ec8809
pdev_nr and rhport can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis' drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis' drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev' drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev' Fix this by sanitizing pdev_nr and rhport before using them to index vhcis and vhci->vhci_hcd_ss->vdev respectively. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| README | ||
| stub_dev.c | ||
| stub_main.c | ||
| stub_rx.c | ||
| stub_tx.c | ||
| stub.h | ||
| usbip_common.c | ||
| usbip_common.h | ||
| usbip_event.c | ||
| vhci_hcd.c | ||
| vhci_rx.c | ||
| vhci_sysfs.c | ||
| vhci_tx.c | ||
| vhci.h | ||
| vudc_dev.c | ||
| vudc_main.c | ||
| vudc_rx.c | ||
| vudc_sysfs.c | ||
| vudc_transfer.c | ||
| vudc_tx.c | ||
| vudc.h | ||
TODO: - more discussion about the protocol - testing - review of the userspace interface - document the protocol Please send patches for this code to Greg Kroah-Hartman <greg@kroah.com>