drivers: speculative load before bound-check
Jeetesh Burman [Thu, 29 Mar 2018 18:36:55 +0000 (23:36 +0530)]
Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

Bug 1964290
CVE-2017-5753

Change-Id: I69ce0633516b3a838cf2547adcff4ded806394e0
Signed-off-by: Hien Goi <hgoi@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650789
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit 7541f4625b73b64e0c64b403c6182cb295fd884c)
Reviewed-on: https://git-master.nvidia.com/r/1684501
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

drivers/media/i2c/tc358840.c
drivers/media/platform/tegra/camera/camera_common.c

index bc3cebf..79ea407 100644 (file)
@@ -45,7 +45,7 @@
 
 #include <media/i2c/tc358840.h>
 #include "tc358840_regs.h"
-
+#include <asm/barrier.h>
 
 static int debug;
 module_param(debug, int, 0644);
@@ -1955,6 +1955,8 @@ static int tc358840_enum_framesizes(struct v4l2_subdev *sd,
        if (fsizes->index >= num_frmfmt)
                return -EINVAL;
 
+       speculation_barrier();
+
        fsizes->type = V4L2_FRMSIZE_TYPE_DISCRETE;
        fsizes->discrete = frmfmt[fsizes->index].size;
 
@@ -1985,6 +1987,8 @@ static int tc358840_enum_frameintervals(struct v4l2_subdev *sd,
        if (fintervals->index >= frmfmt[i].num_framerates)
                return -EINVAL;
 
+       speculation_barrier();
+
        fintervals->type = V4L2_FRMSIZE_TYPE_DISCRETE;
        fintervals->discrete.numerator = 1;
        fintervals->discrete.denominator =
index e2b7db6..270fac4 100644 (file)
@@ -20,6 +20,7 @@
 #include <linux/of_graph.h>
 #include <linux/string.h>
 #include <mach/io_dpd.h>
+#include <asm/barrier.h>
 
 #define has_s_op(master, op) \
        (master->ops && master->ops->op)
@@ -558,6 +559,8 @@ int camera_common_enum_framesizes(struct v4l2_subdev *sd,
        if (ret)
                return ret;
 
+       speculation_barrier();
+
        fsizes->type = V4L2_FRMSIZE_TYPE_DISCRETE;
        fsizes->discrete = s_data->frmfmt[fsizes->index].size;
 
@@ -593,6 +596,8 @@ int camera_common_enum_frameintervals(struct v4l2_subdev *sd,
        if (fintervals->index >= s_data->frmfmt[i].num_framerates)
                return -EINVAL;
 
+       speculation_barrier();
+
        fintervals->type = V4L2_FRMSIZE_TYPE_DISCRETE;
        fintervals->discrete.numerator = 1;
        fintervals->discrete.denominator =