Patch "gpio: prevent potential speculation leaks in gpio_device_get_desc()" has been added to the 6.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 11 Aug 2024 08:57:17 -0400

This is a note to let you know that I've just added the patch titled

    gpio: prevent potential speculation leaks in gpio_device_get_desc()

to the 6.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     gpio-prevent-potential-speculation-leaks-in-gpio_dev.patch
and it can be found in the queue-6.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 326813cd370e4a615d144750cc76857c60105b7a
Author: Hagar Hemdan <hagarhem@xxxxxxxxxx>
Date:   Thu May 23 08:53:32 2024 +0000

    gpio: prevent potential speculation leaks in gpio_device_get_desc()
    
    [ Upstream commit d795848ecce24a75dfd46481aee066ae6fe39775 ]
    
    Userspace may trigger a speculative read of an address outside the gpio
    descriptor array.
    Users can do that by calling gpio_ioctl() with an offset out of range.
    Offset is copied from user and then used as an array index to get
    the gpio descriptor without sanitization in gpio_device_get_desc().
    
    This change ensures that the offset is sanitized by using
    array_index_nospec() to mitigate any possibility of speculative
    information leaks.
    
    This bug was discovered and resolved using Coverity Static Analysis
    Security Testing (SAST) by Synopsys, Inc.
    
    Signed-off-by: Hagar Hemdan <hagarhem@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240523085332.1801-1-hagarhem@xxxxxxxxxx
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index fa62367ee9290..1a9aadd4c803c 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -17,6 +17,7 @@
 #include <linux/list.h>
 #include <linux/lockdep.h>
 #include <linux/module.h>
+#include <linux/nospec.h>
 #include <linux/of.h>
 #include <linux/pinctrl/consumer.h>
 #include <linux/seq_file.h>
@@ -198,7 +199,7 @@ gpio_device_get_desc(struct gpio_device *gdev, unsigned int hwnum)
 	if (hwnum >= gdev->ngpio)
 		return ERR_PTR(-EINVAL);
 
-	return &gdev->descs[hwnum];
+	return &gdev->descs[array_index_nospec(hwnum, gdev->ngpio)];
 }
 EXPORT_SYMBOL_GPL(gpio_device_get_desc);
 







