perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]

Linux-MTD Mailing List linux-mtd at lists.infradead.org
Mon May 14 05:59:11 PDT 2018 

Gitweb:     http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=4411ec1d1993e8dbff2898390e3fed280d88e446
Commit:     4411ec1d1993e8dbff2898390e3fed280d88e446
Parent:     354d7793070611b4df5a79fbb0f12752d0ed0cc5
Author:     Peter Zijlstra <peterz at infradead.org>
AuthorDate: Fri Apr 20 14:03:18 2018 +0200
Committer:  Ingo Molnar <mingo at kernel.org>
CommitDate: Sat May 5 08:37:27 2018 +0200

    perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
    
    > kernel/events/ring_buffer.c:871 perf_mmap_to_page() warn: potential spectre issue 'rb->aux_pages'
    
    Userspace controls @pgoff through the fault address. Sanitize the
    array index before doing the array dereference.
    
    Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
    Cc: <stable at kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin at linux.intel.com>
    Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
    Cc: Jiri Olsa <jolsa at redhat.com>
    Cc: Linus Torvalds <torvalds at linux-foundation.org>
    Cc: Peter Zijlstra <peterz at infradead.org>
    Cc: Stephane Eranian <eranian at google.com>
    Cc: Thomas Gleixner <tglx at linutronix.de>
    Cc: Vince Weaver <vincent.weaver at maine.edu>
    Signed-off-by: Ingo Molnar <mingo at kernel.org>
---
 kernel/events/ring_buffer.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
index 6c6b3c48db71..1d8ca9ea9979 100644
--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -14,6 +14,7 @@
 #include <linux/slab.h>
 #include <linux/circ_buf.h>
 #include <linux/poll.h>
+#include <linux/nospec.h>
 
 #include "internal.h"
 
@@ -867,8 +868,10 @@ perf_mmap_to_page(struct ring_buffer *rb, unsigned long pgoff)
 			return NULL;
 
 		/* AUX space */
-		if (pgoff >= rb->aux_pgoff)
-			return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]);
+		if (pgoff >= rb->aux_pgoff) {
+			int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages);
+			return virt_to_page(rb->aux_pages[aux_pgoff]);
+		}
 	}
 
 	return __perf_mmap_to_page(rb, pgoff);

More information about the linux-mtd-cvs mailing list