forked from Minki/linux
a0d6ec8809
pdev_nr and rhport can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis' drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis' drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev' drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev' Fix this by sanitizing pdev_nr and rhport before using them to index vhcis and vhci->vhci_hcd_ss->vdev respectively. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
README | ||
stub_dev.c | ||
stub_main.c | ||
stub_rx.c | ||
stub_tx.c | ||
stub.h | ||
usbip_common.c | ||
usbip_common.h | ||
usbip_event.c | ||
vhci_hcd.c | ||
vhci_rx.c | ||
vhci_sysfs.c | ||
vhci_tx.c | ||
vhci.h | ||
vudc_dev.c | ||
vudc_main.c | ||
vudc_rx.c | ||
vudc_sysfs.c | ||
vudc_transfer.c | ||
vudc_tx.c | ||
vudc.h |
TODO: - more discussion about the protocol - testing - review of the userspace interface - document the protocol Please send patches for this code to Greg Kroah-Hartman <greg@kroah.com>