Static analysis tools indicate that indirect target minstrel_ht_get_expected_throughput() could be used as a disclosure gadget for Intra-mode Branch Target Injection (IMBTI) or Branch History Injection (BHI). ASM generated by compilers indicate a construct of a typical disclosure gadget, where function arguments can be used to speculatively access and transmit the contents of an arbitrary memory location. Mitigate it by adding a speculation barrier. Reported-by: Scott D. Constable <scott.d.constable@xxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@xxxxxxxxxxxxxxx> --- net/mac80211/rc80211_minstrel_ht.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c index 788a82f9c74d..af66e5c8dcfa 100644 --- a/net/mac80211/rc80211_minstrel_ht.c +++ b/net/mac80211/rc80211_minstrel_ht.c @@ -11,6 +11,7 @@ #include <linux/moduleparam.h> #include <linux/ieee80211.h> #include <linux/minmax.h> +#include <linux/nospec.h> #include <net/mac80211.h> #include "rate.h" #include "sta_info.h" @@ -1998,6 +1999,14 @@ static u32 minstrel_ht_get_expected_throughput(void *priv_sta) struct minstrel_ht_sta *mi = priv_sta; int i, j, prob, tp_avg; + /* + * Protect against IMBTI/BHI. + * + * Transiently executing this function with an adversary controlled + * argument may disclose secrets. Speculation barrier prevents that. + */ + barrier_nospec(); + i = MI_RATE_GROUP(mi->max_tp_rate[0]); j = MI_RATE_IDX(mi->max_tp_rate[0]); prob = mi->groups[i].rates[j].prob_avg; -- 2.37.3
