drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++ 1 file changed, 3 insertions(+)
It appears like nr could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents
of kernel memory from being leaked to userspace via speculative
execution by using array_index_nospec.
Signed-off-by: Jordy Zomer <jordy@pwning.systems>
---
drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
index 3ba3a8ffda3e..c1cdf712a10d 100644
--- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
+++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
@@ -14,6 +14,7 @@
#include <linux/fs.h>
#include <linux/uaccess.h>
#include <linux/slab.h>
+#include <linux/nospec.h>
static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = {
[HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr),
@@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
}
if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
+ nr = array_index_nospec(nr, HL_COMMAND_END-1);
ioctl = &hl_ioctls[nr];
} else {
dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
@@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
}
if (nr == _IOC_NR(HL_IOCTL_INFO)) {
+ nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO));
ioctl = &hl_ioctls_control[nr];
} else {
dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
--
2.27.0
On Tue, Feb 1, 2022 at 7:25 PM Jordy Zomer <jordy@pwning.systems> wrote:
>
> It appears like nr could be a Spectre v1 gadget as it's supplied by a
> user and used as an array index. Prevent the contents
> of kernel memory from being leaked to userspace via speculative
> execution by using array_index_nospec.
>
> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
> ---
> drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> index 3ba3a8ffda3e..c1cdf712a10d 100644
> --- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> +++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> @@ -14,6 +14,7 @@
> #include <linux/fs.h>
> #include <linux/uaccess.h>
> #include <linux/slab.h>
> +#include <linux/nospec.h>
>
> static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = {
> [HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr),
> @@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
> }
>
> if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
> + nr = array_index_nospec(nr, HL_COMMAND_END-1);
> ioctl = &hl_ioctls[nr];
> } else {
> dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
> @@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
> }
>
> if (nr == _IOC_NR(HL_IOCTL_INFO)) {
> + nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO));
> ioctl = &hl_ioctls_control[nr];
> } else {
> dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
> --
> 2.27.0
>
Thanks for the patch.
I'm going to run this through our CI and if nothing breaks I'll merge
it to our -next branch.
Oded
On Wed, Feb 2, 2022 at 9:50 AM Oded Gabbay <ogabbay@kernel.org> wrote:
>
> On Tue, Feb 1, 2022 at 7:25 PM Jordy Zomer <jordy@pwning.systems> wrote:
> >
> > It appears like nr could be a Spectre v1 gadget as it's supplied by a
> > user and used as an array index. Prevent the contents
> > of kernel memory from being leaked to userspace via speculative
> > execution by using array_index_nospec.
> >
> > Signed-off-by: Jordy Zomer <jordy@pwning.systems>
> > ---
> > drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> > index 3ba3a8ffda3e..c1cdf712a10d 100644
> > --- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> > +++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> > @@ -14,6 +14,7 @@
> > #include <linux/fs.h>
> > #include <linux/uaccess.h>
> > #include <linux/slab.h>
> > +#include <linux/nospec.h>
> >
> > static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = {
> > [HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr),
> > @@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
> > }
> >
> > if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
> > + nr = array_index_nospec(nr, HL_COMMAND_END-1);
This needs to be HL_COMMAND_END.
The pattern (as described in array_index_nospec comment) is
if (index < size) {
index = array_index_nospec(index, size);
val = array[index];
}
When you do -1, it misses the last value which causes that ioctl to
get rejected.
> > ioctl = &hl_ioctls[nr];
> > } else {
> > dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
> > @@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
> > }
> >
> > if (nr == _IOC_NR(HL_IOCTL_INFO)) {
> > + nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO));
same here, it should be _IOC_NR(HL_IOCTL_INFO) + 1
Thanks,
Oded
> > ioctl = &hl_ioctls_control[nr];
> > } else {
> > dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
> > --
> > 2.27.0
> >
>
> Thanks for the patch.
> I'm going to run this through our CI and if nothing breaks I'll merge
> it to our -next branch.
>
> Oded
It appears like nr could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents
of kernel memory from being leaked to userspace via speculative
execution by using array_index_nospec.
Thanks for noticing Oded, made the changes.
Signed-off-by: Jordy Zomer <jordy@pwning.systems>
---
Changes v1 -> v2: Added the correct offsets
---
drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
index 3ba3a8ffda3e..c1cdf712a10d 100644
--- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
+++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
@@ -14,6 +14,7 @@
#include <linux/fs.h>
#include <linux/uaccess.h>
#include <linux/slab.h>
+#include <linux/nospec.h>
static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = {
[HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr),
@@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
}
if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
+ nr = array_index_nospec(nr, HL_COMMAND_END);
ioctl = &hl_ioctls[nr];
} else {
dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
@@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
}
if (nr == _IOC_NR(HL_IOCTL_INFO)) {
+ nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO)+1);
ioctl = &hl_ioctls_control[nr];
} else {
dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
--
2.27.0
On Wed, Feb 02, 2022 at 06:19:24PM +0100, Jordy Zomer wrote: > It appears like nr could be a Spectre v1 gadget as it's supplied by a > user and used as an array index. Prevent the contents > of kernel memory from being leaked to userspace via speculative > execution by using array_index_nospec. Can you wrap your lines in a standard way? > > Thanks for noticing Oded, made the changes. This line should not be in the changelog :( thanks, greg k-h
It appears like nr could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents of kernel memory
being leaked to userspace via speculative execution by using
array_index_nospec.
Signed-off-by: Jordy Zomer <jordy@pwning.systems>
---
Changes v1 -> v2: Added the correct offsets
Changes v2 -> v3: Fixed line-wrapping
---
drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
index 3ba3a8ffda3e..c1cdf712a10d 100644
--- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
+++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
@@ -14,6 +14,7 @@
#include <linux/fs.h>
#include <linux/uaccess.h>
#include <linux/slab.h>
+#include <linux/nospec.h>
static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = {
[HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr),
@@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
}
if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
+ nr = array_index_nospec(nr, HL_COMMAND_END);
ioctl = &hl_ioctls[nr];
} else {
dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
@@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
}
if (nr == _IOC_NR(HL_IOCTL_INFO)) {
+ nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO)+1);
ioctl = &hl_ioctls_control[nr];
} else {
dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
--
2.27.0
Sorry! Removed the message and hope the line-wrapping is correct now :)
> On 2 Feb 2022, at 20:11, Jordy Zomer <jordy@pwning.systems> wrote:
>
> It appears like nr could be a Spectre v1 gadget as it's supplied by a
> user and used as an array index. Prevent the contents of kernel memory
> being leaked to userspace via speculative execution by using
> array_index_nospec.
>
> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
>
> ---
> Changes v1 -> v2: Added the correct offsets
> Changes v2 -> v3: Fixed line-wrapping
> ---
> drivers/misc/habanalabs/common/habanalabs_ioctl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> index 3ba3a8ffda3e..c1cdf712a10d 100644
> --- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> +++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> @@ -14,6 +14,7 @@
> #include <linux/fs.h>
> #include <linux/uaccess.h>
> #include <linux/slab.h>
> +#include <linux/nospec.h>
>
> static u32 hl_debug_struct_size[HL_DEBUG_OP_TIMESTAMP + 1] = {
> [HL_DEBUG_OP_ETR] = sizeof(struct hl_debug_params_etr),
> @@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
> }
>
> if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
> + nr = array_index_nospec(nr, HL_COMMAND_END);
> ioctl = &hl_ioctls[nr];
> } else {
> dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
> @@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
> }
>
> if (nr == _IOC_NR(HL_IOCTL_INFO)) {
> + nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO)+1);
> ioctl = &hl_ioctls_control[nr];
> } else {
> dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
> --
> 2.27.0
>
On 02/02/2022 19:11, Jordy Zomer wrote:
> diff --git a/drivers/misc/habanalabs/common/habanalabs_ioctl.c b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> index 3ba3a8ffda3e..c1cdf712a10d 100644
> --- a/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> +++ b/drivers/misc/habanalabs/common/habanalabs_ioctl.c
> @@ -849,6 +850,7 @@ long hl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
> }
>
> if ((nr >= HL_COMMAND_START) && (nr < HL_COMMAND_END)) {
> + nr = array_index_nospec(nr, HL_COMMAND_END);
> ioctl = &hl_ioctls[nr];
> } else {
> dev_err(hdev->dev, "invalid ioctl: pid=%d, nr=0x%02x\n",
> @@ -872,6 +874,7 @@ long hl_ioctl_control(struct file *filep, unsigned int cmd, unsigned long arg)
> }
>
> if (nr == _IOC_NR(HL_IOCTL_INFO)) {
> + nr = array_index_nospec(nr, _IOC_NR(HL_IOCTL_INFO)+1);
> ioctl = &hl_ioctls_control[nr];
> } else {
> dev_err(hdev->dev_ctrl, "invalid ioctl: pid=%d, nr=0x%02x\n",
Sorry for jumping in the middle here, but array_index_nospec() is
finicky to use, and both examples here don't quite behave as intended.
(In reverse order), first, any competent compiler will turn:
if (nr == _IOC_NR(HL_IOCTL_INFO)) {
ioctl = &hl_ioctls_control[nr];
into
ioctl = &hl_ioctls_control[_IOC_NR(HL_IOCTL_INFO)];
which can be evaluated at compile time without reference to nr. By
using array_index_nospec(), you inhibit this optimisation, forcing the
load to be dependent on nr, and with the extra logic to try and make nr
be safe.
Second, array_index_nospec(nr, HL_COMMAND_END); only protects the upper
bound. In this case, the valid lower bound is not zero.
i.e. while you've prevented an OoB read of the hl_ioctls[] array as a
whole, there is still a Spectre-v1 gadget where you can speculatively
continue using &hl_ioctls[0] which is out of bounds from the logic's
point of view.
One fix is to use:
nr = HL_COMMAND_START +
array_index_nospec(nr, HL_COMMAND_END - HL_COMMAND_START);
while another is to confirm that the subsequent logic is safe to
confused-deputy problems. This analysis probably needs doing anyway as
there are multiple ioctl implementations that can be selected.
~Andrew
© 2016 - 2026 Red Hat, Inc.