Re: [PATCH v5 6/8] platform/x86/amd/hsmp: Sanitize hsmp_ioctl_msg() msg_id for Spectre v1

[Ilpo Järvinen]

On Thu, 11 Jun 2026, Muralidhara M K wrote:

> Although validate_message() checks msg_id, a mispredicted branch can
> still allow speculative indexing into hsmp_msg_desc_table[].  Clamp
> msg.msg_id with array_index_nospec() at entry to hsmp_ioctl_msg() so
> downstream dereferences (including via is_get_msg() and
> hsmp_send_message()) see a bounded index.
> 
> Reviewed-by: Muthusamy Ramalingam <muthusamy.ramalingam@xxxxxxx>
> Signed-off-by: Muralidhara M K <muralidhara.mk@xxxxxxx>
> ---
>  drivers/platform/x86/amd/hsmp/hsmp.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/drivers/platform/x86/amd/hsmp/hsmp.c b/drivers/platform/x86/amd/hsmp/hsmp.c
> index 36ff83744684..a9dca97568b8 100644
> --- a/drivers/platform/x86/amd/hsmp/hsmp.c
> +++ b/drivers/platform/x86/amd/hsmp/hsmp.c
> @@ -306,6 +306,19 @@ static long hsmp_ioctl_msg(struct file *fp, unsigned long arg)
>  	if (msg.msg_id < HSMP_TEST || msg.msg_id >= HSMP_MSG_ID_MAX)
>  		return -ENOMSG;
>  
> +	/*
> +	 * Sanitize the user-controlled msg_id against speculative
> +	 * execution.  The bounds check above retires the out-of-range
> +	 * case with -ENOMSG, but a mispredicted branch can still let the
> +	 * CPU speculatively use msg_id as an index into
> +	 * hsmp_msg_desc_table[] (here and in validate_message() /
> +	 * is_get_msg() called downstream via hsmp_send_message()), and
> +	 * pull arbitrary kernel memory into the cache (Spectre v1,
> +	 * CVE-2017-5753).  Clamp once into msg.msg_id so every downstream
> +	 * dereference sees the sanitized value.
> +	 */
> +	msg.msg_id = array_index_nospec(msg.msg_id, HSMP_MSG_ID_MAX);
> +
>  	switch (fp->f_mode & (FMODE_WRITE | FMODE_READ)) {
>  	case FMODE_WRITE:
>  		/*

Sashiko mentions there's similar gadget for sock_ind in 
hsmp_send_message().

-- 
 i.