From 49d6aaad3b6df885a789e9926e70463b55f5674a Mon Sep 17 00:00:00 2001 From: Bowen You Date: Tue, 24 Sep 2024 08:16:37 +0000 Subject: [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0974d03eb479384466d828d65637814bee6b26d7 -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch Reported-by: Breno Leitao Reviewed-by: Breno Leitao Signed-off-by: Michael Ellerman Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm.com Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 46b9476d7582..dc294c95da21 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -1839,6 +1840,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- Gitee