+Nathan as this is RTAS related. Le 21/08/2018 à 20:42, Breno Leitao a écrit : > The rtas syscall reads a value from a user-provided structure and uses it > to index an array, being a possible area for a potential spectre v1 attack. > This is the code that exposes this problem. > > args.rets = &args.args[nargs]; > > The nargs is an user provided value, and the below code is an example where > the 'nargs' value would be set to XX. > > struct rtas_args ra; > ra.nargs = htobe32(XX); > syscall(__NR_rtas, &ra);
This patch has been hanging around in patchwork since 2018 and doesn't apply anymore. Is it still relevant ? If so, can you rebase et resubmit ? Thanks Christophe > > Signed-off-by: Breno Leitao <lei...@debian.org> > --- > arch/powerpc/kernel/rtas.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c > index 8afd146bc9c7..5ef3c863003d 100644 > --- a/arch/powerpc/kernel/rtas.c > +++ b/arch/powerpc/kernel/rtas.c > @@ -27,6 +27,7 @@ > #include <linux/slab.h> > #include <linux/reboot.h> > #include <linux/syscalls.h> > +#include <linux/nospec.h> > > #include <asm/prom.h> > #include <asm/rtas.h> > @@ -1056,7 +1057,7 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) > struct rtas_args args; > unsigned long flags; > char *buff_copy, *errbuf = NULL; > - int nargs, nret, token; > + int index, nargs, nret, token; > > if (!capable(CAP_SYS_ADMIN)) > return -EPERM; > @@ -1084,7 +1085,8 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) > if (token == RTAS_UNKNOWN_SERVICE) > return -EINVAL; > > - args.rets = &args.args[nargs]; > + index = array_index_nospec(nargs, ARRAY_SIZE(args.args)); > + args.rets = &args.args[index]; > memset(args.rets, 0, nret * sizeof(rtas_arg_t)); > > /* Need to handle ibm,suspend_me call specially */
