linux/drivers/usb/usbip
Gustavo A. R. Silva a0d6ec8809 usbip: vhci_sysfs: fix potential Spectre v1
pdev_nr and rhport can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:
drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis'
drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis'
drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev'
drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev'

Fix this by sanitizing pdev_nr and rhport before using them to index
vhcis and vhci->vhci_hcd_ss->vdev respectively.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-24 18:14:28 +02:00
..
Kconfig usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS 2018-03-09 09:16:18 -08:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
README
stub_dev.c usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-15 09:52:02 +02:00
stub_main.c usbip: usbip_host: fix bad unlock balance during stub_probe() 2018-05-16 18:52:13 +02:00
stub_rx.c Merge 4.15.0-rc6 into usb-next 2018-01-02 15:13:41 +01:00
stub_tx.c usbip: stub: stop printing kernel pointer addresses in messages 2017-12-19 11:40:54 +01:00
stub.h usbip: usbip_host: fix NULL-ptr deref and use-after-free errors 2018-05-15 09:52:02 +02:00
usbip_common.c Merge 4.15-rc8 into usb-next 2018-01-15 15:00:11 +01:00
usbip_common.h usbip: vhci_hcd: Fix usb device and sockfd leaks 2018-04-22 14:45:11 +02:00
usbip_event.c usbip: usbip_event: fix to not print kernel pointer address 2018-04-22 14:45:12 +02:00
vhci_hcd.c usbip: vhci_hcd: check rhport before using in vhci_hub_control() 2018-04-22 14:45:11 +02:00
vhci_rx.c usbip: vhci: fix spelling mistake: "synchronuously" -> "synchronously" 2018-01-04 17:05:55 +01:00
vhci_sysfs.c usbip: vhci_sysfs: fix potential Spectre v1 2018-05-24 18:14:28 +02:00
vhci_tx.c usbip: vhci: stop printing kernel pointer addresses in messages 2017-12-19 11:40:54 +01:00
vhci.h USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00
vudc_dev.c USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00
vudc_main.c USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00
vudc_rx.c usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input 2018-01-04 17:07:26 +01:00
vudc_sysfs.c usbip: vudc: fix null pointer dereference on udc->lock 2018-03-09 10:01:07 -08:00
vudc_transfer.c USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00
vudc_tx.c usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer 2018-01-04 17:07:27 +01:00
vudc.h USB: usbip: Remove redundant license text 2017-11-07 15:45:01 +01:00

TODO:
	- more discussion about the protocol
	- testing
	- review of the userspace interface
	- document the protocol

Please send patches for this code to Greg Kroah-Hartman <greg@kroah.com>