[PATCH 1/7] perf: Fix possible Spectre-v1 for aux_pages

From: Peter Zijlstra
Date: Fri Apr 20 2018 - 09:20:25 EST

Next message: Peter Zijlstra: "[PATCH 5/7] perf,x86/cstate: Fix possible Spectre-v1 for pkg_msr"
Previous message: Peter Zijlstra: "[PATCH 2/7] perf,x86: Fix possible Spectre-v1 for hw_perf_event"
In reply to: Peter Zijlstra: "[PATCH 2/7] perf,x86: Fix possible Spectre-v1 for hw_perf_event"
Next in thread: Peter Zijlstra: "[PATCH 5/7] perf,x86/cstate: Fix possible Spectre-v1 for pkg_msr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> kernel/events/ring_buffer.c:871 perf_mmap_to_page() warn: potential spectre issue 'rb->aux_pages'

Userspace controls @pgoff through the fault address. Sanitize the
array index before doing the array dereference.

Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
---
kernel/events/ring_buffer.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -867,8 +867,10 @@ perf_mmap_to_page(struct ring_buffer *rb
return NULL;

/* AUX space */
- if (pgoff >= rb->aux_pgoff)
- return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]);
+ if (pgoff >= rb->aux_pgoff) {
+ int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages);
+ return virt_to_page(rb->aux_pages[aux_pgoff]);
+ }
}

return __perf_mmap_to_page(rb, pgoff);

Next message: Peter Zijlstra: "[PATCH 5/7] perf,x86/cstate: Fix possible Spectre-v1 for pkg_msr"
Previous message: Peter Zijlstra: "[PATCH 2/7] perf,x86: Fix possible Spectre-v1 for hw_perf_event"
In reply to: Peter Zijlstra: "[PATCH 2/7] perf,x86: Fix possible Spectre-v1 for hw_perf_event"
Next in thread: Peter Zijlstra: "[PATCH 5/7] perf,x86/cstate: Fix possible Spectre-v1 for pkg_msr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]