Re: [PATCH 10/18] qla2xxx: prevent bounds-check bypass via speculative execution

From: Greg KH
Date: Sat Jan 06 2018 - 04:03:31 EST

Next message: Greg KH: "Re: [PATCH 07/18] [media] uvcvideo: prevent bounds-check bypass via speculative execution"
Previous message: Greg KH: "Re: [PATCH 14/18] ipv4: prevent bounds-check bypass via speculative execution"
In reply to: Dan Williams: "[PATCH 10/18] qla2xxx: prevent bounds-check bypass via speculative execution"
Next in thread: Greg KH: "Re: [PATCH 10/18] qla2xxx: prevent bounds-check bypass via speculative execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 05, 2018 at 05:10:48PM -0800, Dan Williams wrote:
> Static analysis reports that 'handle' may be a user controlled value
> that is used as a data dependency to read 'sp' from the
> 'req->outstanding_cmds' array. In order to avoid potential leaks of
> kernel memory values, block speculative execution of the instruction
> stream that could issue reads based on an invalid value of 'sp'. In this
> case 'sp' is directly dereferenced later in the function.

I'm pretty sure that 'handle' comes from the hardware, not from
userspace, from what I can tell here. If we want to start auditing
__iomem data sources, great! But that's a bigger task, and one I don't
think we are ready to tackle...

thanks,

greg k-h

Next message: Greg KH: "Re: [PATCH 07/18] [media] uvcvideo: prevent bounds-check bypass via speculative execution"
Previous message: Greg KH: "Re: [PATCH 14/18] ipv4: prevent bounds-check bypass via speculative execution"
In reply to: Dan Williams: "[PATCH 10/18] qla2xxx: prevent bounds-check bypass via speculative execution"
Next in thread: Greg KH: "Re: [PATCH 10/18] qla2xxx: prevent bounds-check bypass via speculative execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]