[PATCH 3.16 315/328] usb: gadget: storage: Fix Spectre v1 vulnerability

From: Ben Hutchings
Date: Sun Dec 09 2018 - 17:20:07 EST

3.16.62-rc1 review patch. If anyone has any objections, please let me know.


From: "Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx>

commit 9ae24af3669111d418242caec8dd4ebd9ba26860 upstream.

num can be indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/usb/gadget/function/f_mass_storage.c:3177 fsg_lun_make() warn:
potential spectre issue 'fsg_opts->common->luns' [r] (local cap)

Fix this by sanitizing num before using it to index

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx>
Acked-by: Felipe Balbi <felipe.balbi@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
drivers/usb/gadget/f_mass_storage.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/usb/gadget/f_mass_storage.c
+++ b/drivers/usb/gadget/f_mass_storage.c
@@ -219,6 +219,8 @@
#include <linux/usb/gadget.h>
#include <linux/usb/composite.h>

+#include <linux/nospec.h>
#include "gadget_chips.h"
#include "configfs.h"

@@ -3344,6 +3346,7 @@ static struct config_group *fsg_lun_make
fsg_opts = to_fsg_opts(&group->cg_item);
if (num >= FSG_MAX_LUNS)
return ERR_PTR(-ERANGE);
+ num = array_index_nospec(num, FSG_MAX_LUNS);

if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {