The rtas syscall reads a value from a user-provided structure and uses it
to index an array, being a possible area for a potential spectre v1 attack.
This is the code that exposes this problem.
args.rets = &args.args[nargs];
The nargs is an user provided value, and the below code is an example where
the 'nargs' value would be set to XX.
struct rtas_args ra;
ra.nargs = htobe32(XX);
syscall(__NR_rtas, &ra);
Signed-off-by: Breno Leitao <lei...@debian.org>
---
arch/powerpc/kernel/rtas.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
index 8afd146bc9c7..5ef3c863003d 100644
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -27,6 +27,7 @@
#include <linux/slab.h>
#include <linux/reboot.h>
#include <linux/syscalls.h>
+#include <linux/nospec.h>
#include <asm/prom.h>
#include <asm/rtas.h>
@@ -1056,7 +1057,7 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
struct rtas_args args;
unsigned long flags;
char *buff_copy, *errbuf = NULL;
- int nargs, nret, token;
+ int index, nargs, nret, token;
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
@@ -1084,7 +1085,8 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
if (token == RTAS_UNKNOWN_SERVICE)
return -EINVAL;
- args.rets = &args.args[nargs];
+ index = array_index_nospec(nargs, ARRAY_SIZE(args.args));
+ args.rets = &args.args[index];
memset(args.rets, 0, nret * sizeof(rtas_arg_t));
/* Need to handle ibm,suspend_me call specially */
--
2.16.3
