Re: [PATCH 10/18] qla2xxx: prevent bounds-check bypass via speculative execution
From: Greg KH
Date: Sat Jan 06 2018 - 04:03:31 EST
On Fri, Jan 05, 2018 at 05:10:48PM -0800, Dan Williams wrote:
> Static analysis reports that 'handle' may be a user controlled value
> that is used as a data dependency to read 'sp' from the
> 'req->outstanding_cmds' array. In order to avoid potential leaks of
> kernel memory values, block speculative execution of the instruction
> stream that could issue reads based on an invalid value of 'sp'. In this
> case 'sp' is directly dereferenced later in the function.
I'm pretty sure that 'handle' comes from the hardware, not from
userspace, from what I can tell here. If we want to start auditing
__iomem data sources, great! But that's a bigger task, and one I don't
think we are ready to tackle...
thanks,
greg k-h