From nobody Wed Dec 17 10:57:35 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 15AD0C4167B
	for <linux-kernel@archiver.kernel.org>; Tue, 28 Nov 2023 08:37:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344183AbjK1Ihe (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 28 Nov 2023 03:37:34 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46928 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344194AbjK1IhW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Nov 2023 03:37:22 -0500
Received: from smtp-fw-33001.amazon.com (smtp-fw-33001.amazon.com
 [207.171.190.10])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 506CE10E6;
        Tue, 28 Nov 2023 00:37:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209;
  t=1701160649; x=1732696649;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=dzJq7ZS6+MalTytYoBY1Oc9I5uKD7F8atHWY0xkMgew=;
  b=F4SxQqWKrqfWTF3gJrwOeFEQFShgq/IJrqQOSTs/4OboJyenNHWeIIke
   M9CtHyHITHio+tbqZWgxr3KdIJAe7gX97StauyRzoneV0niVvVw8ocUCS
   UsbOjR9akndGsnzwHasd3qgSm2HRT6f+9TObwhhatlpn8sDTI3lqbezu/
   Y=;
X-IronPort-AV: E=Sophos;i="6.04,233,1695686400";
   d="scan'208";a="314749951"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO
 email-inbound-relay-pdx-2a-m6i4x-44b6fc51.us-west-2.amazon.com) ([10.43.8.6])
  by smtp-border-fw-33001.sea14.amazon.com with
 ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Nov 2023 08:37:22 +0000
Received: from smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev
 (pdx2-ws-svc-p26-lb5-vlan2.pdx.amazon.com [10.39.38.66])
        by email-inbound-relay-pdx-2a-m6i4x-44b6fc51.us-west-2.amazon.com
 (Postfix) with ESMTPS id 20947A0BC4;
        Tue, 28 Nov 2023 08:37:20 +0000 (UTC)
Received: from EX19MTAEUC002.ant.amazon.com [10.0.43.254:51433]
 by smtpin.naws.eu-west-1.prod.farcaster.email.amazon.dev [10.0.26.183:2525]
 with esmtp (Farcaster)
 id 5aac89e3-95a7-4431-957d-05d4a3748f4d;
 Tue, 28 Nov 2023 08:37:19 +0000 (UTC)
X-Farcaster-Flow-ID: 5aac89e3-95a7-4431-957d-05d4a3748f4d
Received: from EX19D002EUC001.ant.amazon.com (10.252.51.219) by
 EX19MTAEUC002.ant.amazon.com (10.252.51.181) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1118.39; Tue, 28 Nov 2023 08:37:18 +0000
Received: from EX19MTAUWB001.ant.amazon.com (10.250.64.248) by
 EX19D002EUC001.ant.amazon.com (10.252.51.219) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1118.39; Tue, 28 Nov 2023 08:37:18 +0000
Received: from dev-dsk-hagarhem-1b-81bb22e5.eu-west-1.amazon.com
 (172.19.65.226) by mail-relay.amazon.com (10.250.64.254) with Microsoft SMTP
 Server id 15.2.1118.39 via Frontend Transport; Tue, 28 Nov 2023 08:37:18
 +0000
Received: by dev-dsk-hagarhem-1b-81bb22e5.eu-west-1.amazon.com (Postfix,
 from userid 23002382)
        id 8D54D5BCC; Tue, 28 Nov 2023 08:37:17 +0000 (UTC)
From: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
CC: Maximilian Heyne <mheyne@amazon.de>,
        Norbert Manthey <nmanthey@amazon.de>,
        Hagar Gamal Halim Hemdan <hagarhem@amazon.com>,
        <stable@vger.kernel.org>, Bryan Tan <bryantan@vmware.com>,
        Vishnu Dasa <vdasa@vmware.com>,
        "VMware PV-Drivers Reviewers" <pv-drivers@vmware.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Dmitry Torokhov <dtor@vmware.com>,
        George Zhang <georgezhang@vmware.com>,
        Andy king <acking@vmware.com>, <linux-kernel@vger.kernel.org>
Subject: [PATCH v2] vmci: prevent speculation leaks by sanitizing event in
 event_deliver()
Date: Tue, 28 Nov 2023 08:36:58 +0000
Message-ID: <20231128083658.23960-1-hagarhem@amazon.com>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
To: unlisted-recipients:; (no To-header on input)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

Coverity spotted that event_msg is controlled by user-space,
event_msg->event_data.event is passed to event_deliver() and used
as an index without sanitization.

This change ensures that the event index is sanitized to mitigate any
possibility of speculative information leaks.

Fixes: 1d990201f9bb ("VMCI: event handling implementation.")

Signed-off-by: Hagar Gamal Halim Hemdan <hagarhem@amazon.com>
Cc: stable@vger.kernel.org
---
 drivers/misc/vmw_vmci/vmci_event.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/vmw_vmci/vmci_event.c b/drivers/misc/vmw_vmci/vmc=
i_event.c
index 5d7ac07623c2..9a41ab65378d 100644
--- a/drivers/misc/vmw_vmci/vmci_event.c
+++ b/drivers/misc/vmw_vmci/vmci_event.c
@@ -9,6 +9,7 @@
 #include <linux/vmw_vmci_api.h>
 #include <linux/list.h>
 #include <linux/module.h>
+#include <linux/nospec.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <linux/rculist.h>
@@ -86,9 +87,12 @@ static void event_deliver(struct vmci_event_msg *event_m=
sg)
 {
 	struct vmci_subscription *cur;
 	struct list_head *subscriber_list;
+	u32 sanitized_event, max_vmci_event;
=20
 	rcu_read_lock();
-	subscriber_list =3D &subscriber_array[event_msg->event_data.event];
+	max_vmci_event =3D ARRAY_SIZE(subscriber_array);
+	sanitized_event =3D array_index_nospec(event_msg->event_data.event, max_v=
mci_event);
+	subscriber_list =3D &subscriber_array[sanitized_event];
 	list_for_each_entry_rcu(cur, subscriber_list, node) {
 		cur->callback(cur->id, &event_msg->event_data,
 			      cur->callback_data);
--=20
2.40.1