diff options
| author | Davidlohr Bueso <dave@stgolabs.net> | 2018-06-14 18:27:51 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-06-14 18:55:25 -0400 |
| commit | ec67aaa46dce26d671b46c94ac674ad0b67d044c (patch) | |
| tree | e4819ea3c6b732dfb972c6507ec9f4c962e00129 | |
| parent | f1b4bd0676c2b3d4a023cf3f5d535e618f7e6eff (diff) | |
sysvipc/sem: mitigate semnum index against spectre v1
Both smatch and coverity are reporting potential issues with spectre
variant 1 with the 'semnum' index within the sma->sems array, ie:
ipc/sem.c:388 sem_lock() warn: potential spectre issue 'sma->sems'
ipc/sem.c:641 perform_atomic_semop_slow() warn: potential spectre issue 'sma->sems'
ipc/sem.c:721 perform_atomic_semop() warn: potential spectre issue 'sma->sems'
Avoid any possible speculation by using array_index_nospec() thus
ensuring the semnum value is bounded to [0, sma->sem_nsems). With the
exception of sem_lock() all of these are slowpaths.
Link: http://lkml.kernel.org/r/20180423171131.njs4rfm2yzyeg6do@linux-n805
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | ipc/sem.c | 18 |
1 files changed, 14 insertions, 4 deletions
| @@ -85,6 +85,7 @@ | |||
| 85 | #include <linux/nsproxy.h> | 85 | #include <linux/nsproxy.h> |
| 86 | #include <linux/ipc_namespace.h> | 86 | #include <linux/ipc_namespace.h> |
| 87 | #include <linux/sched/wake_q.h> | 87 | #include <linux/sched/wake_q.h> |
| 88 | #include <linux/nospec.h> | ||
| 88 | 89 | ||
| 89 | #include <linux/uaccess.h> | 90 | #include <linux/uaccess.h> |
| 90 | #include "util.h" | 91 | #include "util.h" |
| @@ -368,6 +369,7 @@ static inline int sem_lock(struct sem_array *sma, struct sembuf *sops, | |||
| 368 | int nsops) | 369 | int nsops) |
| 369 | { | 370 | { |
| 370 | struct sem *sem; | 371 | struct sem *sem; |
| 372 | int idx; | ||
| 371 | 373 | ||
| 372 | if (nsops != 1) { | 374 | if (nsops != 1) { |
| 373 | /* Complex operation - acquire a full lock */ | 375 | /* Complex operation - acquire a full lock */ |
| @@ -385,7 +387,8 @@ static inline int sem_lock(struct sem_array *sma, struct sembuf *sops, | |||
| 385 | * | 387 | * |
| 386 | * Both facts are tracked by use_global_mode. | 388 | * Both facts are tracked by use_global_mode. |
| 387 | */ | 389 | */ |
| 388 | sem = &sma->sems[sops->sem_num]; | 390 | idx = array_index_nospec(sops->sem_num, sma->sem_nsems); |
| 391 | sem = &sma->sems[idx]; | ||
| 389 | 392 | ||
| 390 | /* | 393 | /* |
| 391 | * Initial check for use_global_lock. Just an optimization, | 394 | * Initial check for use_global_lock. Just an optimization, |
| @@ -638,7 +641,8 @@ static int perform_atomic_semop_slow(struct sem_array *sma, struct sem_queue *q) | |||
| 638 | un = q->undo; | 641 | un = q->undo; |
| 639 | 642 | ||
| 640 | for (sop = sops; sop < sops + nsops; sop++) { | 643 | for (sop = sops; sop < sops + nsops; sop++) { |
| 641 | curr = &sma->sems[sop->sem_num]; | 644 | int idx = array_index_nospec(sop->sem_num, sma->sem_nsems); |
| 645 | curr = &sma->sems[idx]; | ||
| 642 | sem_op = sop->sem_op; | 646 | sem_op = sop->sem_op; |
| 643 | result = curr->semval; | 647 | result = curr->semval; |
| 644 | 648 | ||
| @@ -718,7 +722,9 @@ static int perform_atomic_semop(struct sem_array *sma, struct sem_queue *q) | |||
| 718 | * until the operations can go through. | 722 | * until the operations can go through. |
| 719 | */ | 723 | */ |
| 720 | for (sop = sops; sop < sops + nsops; sop++) { | 724 | for (sop = sops; sop < sops + nsops; sop++) { |
| 721 | curr = &sma->sems[sop->sem_num]; | 725 | int idx = array_index_nospec(sop->sem_num, sma->sem_nsems); |
| 726 | |||
| 727 | curr = &sma->sems[idx]; | ||
| 722 | sem_op = sop->sem_op; | 728 | sem_op = sop->sem_op; |
| 723 | result = curr->semval; | 729 | result = curr->semval; |
| 724 | 730 | ||
| @@ -1356,6 +1362,7 @@ static int semctl_setval(struct ipc_namespace *ns, int semid, int semnum, | |||
| 1356 | return -EIDRM; | 1362 | return -EIDRM; |
| 1357 | } | 1363 | } |
| 1358 | 1364 | ||
| 1365 | semnum = array_index_nospec(semnum, sma->sem_nsems); | ||
| 1359 | curr = &sma->sems[semnum]; | 1366 | curr = &sma->sems[semnum]; |
| 1360 | 1367 | ||
| 1361 | ipc_assert_locked_object(&sma->sem_perm); | 1368 | ipc_assert_locked_object(&sma->sem_perm); |
| @@ -1509,6 +1516,8 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, | |||
| 1509 | err = -EIDRM; | 1516 | err = -EIDRM; |
| 1510 | goto out_unlock; | 1517 | goto out_unlock; |
| 1511 | } | 1518 | } |
| 1519 | |||
| 1520 | semnum = array_index_nospec(semnum, nsems); | ||
| 1512 | curr = &sma->sems[semnum]; | 1521 | curr = &sma->sems[semnum]; |
| 1513 | 1522 | ||
| 1514 | switch (cmd) { | 1523 | switch (cmd) { |
| @@ -2081,7 +2090,8 @@ static long do_semtimedop(int semid, struct sembuf __user *tsops, | |||
| 2081 | */ | 2090 | */ |
| 2082 | if (nsops == 1) { | 2091 | if (nsops == 1) { |
| 2083 | struct sem *curr; | 2092 | struct sem *curr; |
| 2084 | curr = &sma->sems[sops->sem_num]; | 2093 | int idx = array_index_nospec(sops->sem_num, sma->sem_nsems); |
| 2094 | curr = &sma->sems[idx]; | ||
| 2085 | 2095 | ||
| 2086 | if (alter) { | 2096 | if (alter) { |
| 2087 | if (sma->complex_count) { | 2097 | if (sma->complex_count) { |