On Wed, 2019-01-30 at 12:46:00 UTC, Breno Leitao wrote: > 'regno' is directly controlled by user space, hence leading to a potential > exploitation of the Spectre variant 1 vulnerability. > > On PTRACE_SETREGS and PTRACE_GETREGS requests, user space passes the > register number that would be read or written. This register number is > called 'regno' which is part of the 'addr' syscall parameter. > > This 'regno' value is checked against the maximum pt_regs structure size, > and then used to dereference it, which matches the initial part of a > Spectre v1 (and Spectre v1.1) attack. The dereferenced value, then, > is returned to userspace in the GETREGS case. > > This patch sanitizes 'regno' before using it to dereference pt_reg. > > Notice that given that speculation windows are large, the policy is > to kill the speculation on the first load and not worry if it can be > completed with a dependent load/store [1]. > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > Signed-off-by: Breno Leitao <lei...@debian.org> > Acked-by: Gustavo A. R. Silva <gust...@embeddedor.com>
Applied to powerpc next, thanks. https://git.kernel.org/powerpc/c/ebb0e13ead2ddc186a80b1b0235deeef cheers
