Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()

From: Matthew Wilcox
Date: Wed May 29 2019 - 15:52:29 EST

Next message: bsegall: "Re: [PATCH v3 1/1] sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices"
Previous message: Jann Horn: "Re: [PATCH 3/7] vfs: Add a mount-notification facility"
In reply to: Dianzhang Chen: "Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()"
Next in thread: Dianzhang Chen: "Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 29, 2019 at 08:37:28PM +0800, Dianzhang Chen wrote:
> The `size` in kmalloc_slab() is indirectly controlled by userspace via syscall: poll(defined in fs/select.c), hence leading to a potential exploitation of the Spectre variant 1 vulnerability.
> The `size` can be controlled from: poll -> do_sys_poll -> kmalloc -> __kmalloc -> kmalloc_slab.
>
> Fix this by sanitizing `size` before using it to index size_index.

I think it makes more sense to sanitize size in size_index_elem(),
don't you?

static inline unsigned int size_index_elem(unsigned int bytes)
{
- return (bytes - 1) / 8;
+ return array_index_nospec((bytes - 1) / 8, ARRAY_SIZE(size_index));
}

(untested)

Next message: bsegall: "Re: [PATCH v3 1/1] sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices"
Previous message: Jann Horn: "Re: [PATCH 3/7] vfs: Add a mount-notification facility"
In reply to: Dianzhang Chen: "Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()"
Next in thread: Dianzhang Chen: "Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]