On Mon, Jun 12, 2023 at 11:00:40AM +0000, Jordy Zomer wrote: > This patch fixes a spectre-v1 gadget in cdrom. > The gadget could be triggered by, > speculatviely bypassing the cdi->capacity check. > > Signed-off-by: Jordy Zomer <jordyzomer@xxxxxxxxxx> > --- > drivers/cdrom/cdrom.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c > index 416f723a2dbb..ecf2b458c108 100644 > --- a/drivers/cdrom/cdrom.c > +++ b/drivers/cdrom/cdrom.c > @@ -264,6 +264,7 @@ > #include <linux/errno.h> > #include <linux/kernel.h> > #include <linux/mm.h> > +#include <linux/nospec.h> > #include <linux/slab.h> > #include <linux/cdrom.h> > #include <linux/sysctl.h> > @@ -2329,6 +2330,9 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi, > if (arg >= cdi->capacity) > return -EINVAL; > > + /* Prevent arg from speculatively bypassing the length check */ > + barrier_nospec(); > + > info = kmalloc(sizeof(*info), GFP_KERNEL); > if (!info) > return -ENOMEM; > -- > 2.41.0.162.gfafddb0af9-goog > Hi Jordy, Thanks for the patch, I will review/build it properly tonight after work, although at first glance it looks good to me. I'll be in touch. Regards, Phil Potter
