[v1] gpib: fix spectre v1 vulnerabilities in descriptor handling

[PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling

Posted by Hongling Zeng 1 month, 3 weeks ago

Fix potential Spectre v1 vulnerabilities in the GPIB driver's
descriptor handling code. The issues occur when using user-controlled
handle values as array indices after bounds checking.

Use array_index_nospec() to prevent speculative execution from
bypassing the bounds check, which could leak information via
side-channel attacks.

Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
---
 drivers/gpib/common/gpib_os.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c
index 5909274ddc12..ff4019d51b51 100644
--- a/drivers/gpib/common/gpib_os.c
+++ b/drivers/gpib/common/gpib_os.c
@@ -19,6 +19,7 @@
 #include <linux/string.h>
 #include <linux/vmalloc.h>
 #include <linux/fcntl.h>
+#include <linux/nospec.h>
 #include <linux/kmod.h>
 #include <linux/uaccess.h>
 
@@ -1312,6 +1313,8 @@ static int close_dev_ioctl(struct file *filep, struct gpib_board *board, unsigne
 
 	if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
 		return -EINVAL;
+	
+	cmd.handle = array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS);
 
 	mutex_lock(&file_priv->descriptors_mutex);
 	desc = file_priv->descriptors[cmd.handle];
-- 
2.25.1

Re: [PATCH] gpib: fix spectre v1 vulnerabilities in descriptor handling

Posted by Greg KH 1 month, 3 weeks ago

On Fri, Apr 24, 2026 at 05:00:12PM +0800, Hongling Zeng wrote:
> Fix potential Spectre v1 vulnerabilities in the GPIB driver's
> descriptor handling code. The issues occur when using user-controlled
> handle values as array indices after bounds checking.
> 
> Use array_index_nospec() to prevent speculative execution from
> bypassing the bounds check, which could leak information via
> side-channel attacks.
> 
> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
> ---
>  drivers/gpib/common/gpib_os.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpib/common/gpib_os.c b/drivers/gpib/common/gpib_os.c
> index 5909274ddc12..ff4019d51b51 100644
> --- a/drivers/gpib/common/gpib_os.c
> +++ b/drivers/gpib/common/gpib_os.c
> @@ -19,6 +19,7 @@
>  #include <linux/string.h>
>  #include <linux/vmalloc.h>
>  #include <linux/fcntl.h>
> +#include <linux/nospec.h>
>  #include <linux/kmod.h>
>  #include <linux/uaccess.h>
>  
> @@ -1312,6 +1313,8 @@ static int close_dev_ioctl(struct file *filep, struct gpib_board *board, unsigne
>  
>  	if (cmd.handle >= GPIB_MAX_NUM_DESCRIPTORS)
>  		return -EINVAL;
> +	
> +	cmd.handle = array_index_nospec(cmd.handle, GPIB_MAX_NUM_DESCRIPTORS);
>  
>  	mutex_lock(&file_priv->descriptors_mutex);
>  	desc = file_priv->descriptors[cmd.handle];
> -- 
> 2.25.1
> 

What tool found this issue?

And why did you not run scripts/checkpatch.pl on the patch to notice the
error you added to the file with this change?  :(

thanks,

greg k-h