From: Jordy Zomer <jordyzomer@xxxxxxxxxx> This patch fixes a spectre-v1 gadget in cdrom. The gadget could be triggered by speculatively bypassing the cdi->capacity check. Signed-off-by: Jordy Zomer <jordyzomer@xxxxxxxxxx> Link: https://lore.kernel.org/all/20230612110040.849318-2-jordyzomer@xxxxxxxxxx Reviewed-by: Phillip Potter <phil@xxxxxxxxxxxxxxxx> Link: https://lore.kernel.org/all/ZI1+1OG9Ut1MqsUC@equinox Signed-off-by: Phillip Potter <phil@xxxxxxxxxxxxxxxx> --- drivers/cdrom/cdrom.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c index 416f723a2dbb..ecf2b458c108 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -264,6 +264,7 @@ #include <linux/errno.h> #include <linux/kernel.h> #include <linux/mm.h> +#include <linux/nospec.h> #include <linux/slab.h> #include <linux/cdrom.h> #include <linux/sysctl.h> @@ -2329,6 +2330,9 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi, if (arg >= cdi->capacity) return -EINVAL; + /* Prevent arg from speculatively bypassing the length check */ + barrier_nospec(); + info = kmalloc(sizeof(*info), GFP_KERNEL); if (!info) return -ENOMEM; -- 2.40.1
