Re: [PATCH 12/18] Thermal/int340x: prevent bounds-check bypass via speculative execution

From: Srinivas Pandruvada
Date: Fri Jan 05 2018 - 20:54:01 EST


On Fri, 2018-01-05 at 17:10 -0800, Dan Williams wrote:
> Static analysis reports that 'trip' may be a user controlled value
> that
> is used as a data dependency to read '*temp' from the 'd->aux_trips'
> array.ÂÂIn order to avoid potential leaks of kernel memory values,
> block
> speculative execution of the instruction stream that could issue
> reads
> based on an invalid value of '*temp'.

Not against the change as this is in a very slow path. But the trip is
not an arbitrary value which user can enter.

This trip value is the one of the sysfs attribute in thermal zone. For
example

# cd /sys/class/thermal/thermal_zone1
# lsÂtrip_point_?_temp
trip_point_0_tempÂÂtrip_point_1_tempÂÂtrip_point_2_tempÂÂtrip_point_3_t
empÂÂtrip_point_4_tempÂÂtrip_point_5_tempÂÂtrip_point_6_temp

Here the "trip" is one of the above trip_point_*_temp. So in this case
it can be from 0 to 6 as user can't do
# cat trip_point_7_temp
as there is no sysfs attribute for trip_point_7_temp.

The actual "trip" was obtained in thermal core via

   if (sscanf(attr->attr.name, "trip_point_%d_temp", &trip) != 1)
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂreturn -EINVAL;

Thanks,
Srinivas



>
> Based on an original patch by Elena Reshetova.
>
> Cc: Srinivas Pandruvada <srinivas.pandruvada@xxxxxxxxxxxxxxx>
> Cc: Zhang Rui <rui.zhang@xxxxxxxxx>
> Cc: Eduardo Valentin <edubezval@xxxxxxxxx>
> Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx>
> Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx>
> ---
> Â.../thermal/int340x_thermal/int340x_thermal_zone.c |ÂÂÂ14 ++++++++
> ------
> Â1 file changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
> b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
> index 145a5c53ff5c..442a1d9bf7ad 100644
> --- a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
> +++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c
> @@ -17,6 +17,7 @@
> Â#include <linux/init.h>
> Â#include <linux/acpi.h>
> Â#include <linux/thermal.h>
> +#include <linux/compiler.h>
> Â#include "int340x_thermal_zone.h"
> Â
> Âstatic int int340x_thermal_get_zone_temp(struct thermal_zone_device
> *zone,
> @@ -52,20 +53,21 @@ static int int340x_thermal_get_trip_temp(struct
> thermal_zone_device *zone,
> Â Âint trip, int *temp)
> Â{
> Â struct int34x_thermal_zone *d = zone->devdata;
> + unsigned long *elem;
> Â int i;
> Â
> Â if (d->override_ops && d->override_ops->get_trip_temp)
> Â return d->override_ops->get_trip_temp(zone, trip,
> temp);
> Â
> - if (trip < d->aux_trip_nr)
> - *temp = d->aux_trips[trip];
> - else if (trip == d->crt_trip_id)
> + if ((elem = nospec_array_ptr(d->aux_trips, trip, d-
> >aux_trip_nr))) {
> + *temp = *elem;
> + } else if (trip == d->crt_trip_id) {
> Â *temp = d->crt_temp;
> - else if (trip == d->psv_trip_id)
> + } else if (trip == d->psv_trip_id) {
> Â *temp = d->psv_temp;
> - else if (trip == d->hot_trip_id)
> + } else if (trip == d->hot_trip_id) {
> Â *temp = d->hot_temp;
> - else {
> + } else {
> Â for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT;
> i++) {
> Â if (d->act_trips[i].valid &&
> Â ÂÂÂÂd->act_trips[i].id == trip) {
>