On Mon, Jul 23, 2018 at 12:32 PM, Gustavo A. R. Silva <gustavo at embeddedor.com> wrote: > idx can be indirectly controlled by user-space, hence leading to a > potential exploitation of the Spectre variant 1 vulnerability. > > This issue was detected with the help of Smatch: > > drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c:408 amdgpu_set_pp_force_state() > warn: potential spectre issue 'data.states' > > Fix this by sanitizing idx before using it to index data.states Is this actually necessary? We already check that idx is valid a few lines before: if (ret || idx >= ARRAY_SIZE(data.states)) { count = -EINVAL; goto fail; } Alex > > Notice that given that speculation windows are large, the policy is > to kill the speculation on the first load and not worry if it can be > completed with a dependent load/store [1]. > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > Cc: stable at vger.kernel.org > Signed-off-by: Gustavo A. R. Silva <gustavo at embeddedor.com> > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c > index 15a1192..a446c7c 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c > @@ -31,7 +31,7 @@ > #include <linux/power_supply.h> > #include <linux/hwmon.h> > #include <linux/hwmon-sysfs.h> > - > +#include <linux/nospec.h> > > static int amdgpu_debugfs_pm_init(struct amdgpu_device *adev); > > @@ -403,6 +403,7 @@ static ssize_t amdgpu_set_pp_force_state(struct device *dev, > count = -EINVAL; > goto fail; > } > + idx = array_index_nospec(idx, ARRAY_SIZE(data.states)); > > amdgpu_dpm_get_pp_num_states(adev, &data); > state = data.states[idx]; > -- > 2.7.4 > > _______________________________________________ > amd-gfx mailing list > amd-gfx at lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/amd-gfx