riscv: Add Spectre v1 mitigations

[PATCH 2/2] riscv: Sanitize syscall table indexing under speculation

Posted by Lukas Gerlach 1 month, 3 weeks ago

The syscall number is a user-controlled value used to index into the
syscall table. Use array_index_nospec() to clamp this value after the
bounds check to prevent speculative out-of-bounds access and subsequent
data leakage via cache side channels.

Signed-off-by: Lukas Gerlach <lukas.gerlach@cispa.de>
---
 arch/riscv/kernel/traps.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
index 80230de167de..47afea4ff1a8 100644
--- a/arch/riscv/kernel/traps.c
+++ b/arch/riscv/kernel/traps.c
@@ -339,8 +339,10 @@ void do_trap_ecall_u(struct pt_regs *regs)
 
 		add_random_kstack_offset();
 
-		if (syscall >= 0 && syscall < NR_syscalls)
+		if (syscall >= 0 && syscall < NR_syscalls) {
+			syscall = array_index_nospec(syscall, NR_syscalls);
 			syscall_handler(regs, syscall);
+		}
 
 		/*
 		 * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),
-- 
2.51.0

Re: [PATCH 2/2] riscv: Sanitize syscall table indexing under speculation

Posted by Paul Walmsley 1 month, 1 week ago

On Thu, 18 Dec 2025, Lukas Gerlach wrote:

> The syscall number is a user-controlled value used to index into the
> syscall table. Use array_index_nospec() to clamp this value after the
> bounds check to prevent speculative out-of-bounds access and subsequent
> data leakage via cache side channels.
> 
> Signed-off-by: Lukas Gerlach <lukas.gerlach@cispa.de>

Thanks, queued for v6.19-rc.


- Paul

[PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation
[PATCH 2/2] riscv: Sanitize syscall table indexing under speculation