platform: nvadsp: prevent speculative load related leak
James Huang [Thu, 1 Feb 2018 01:42:30 +0000 (09:42 +0800)]
Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: I5a745320b64bf6689cf8ac4b713cf1b32f662a23
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640352
Reviewed-on: https://git-master.nvidia.com/r/1649976
(cherry picked from commit 53deb61791f7227f33f365d3a7f12032dc5af4f2)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682712
GVS: Gerrit_Virtual_Submit
Reviewed-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

drivers/platform/tegra/nvadsp/mailbox.c

index c80a718..85e74de 100644 (file)
@@ -1,7 +1,7 @@
 /*
  * ADSP mailbox manager
  *
- * Copyright (c) 2014-2016, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2014-2018, NVIDIA CORPORATION.  All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -14,6 +14,7 @@
  */
 
 #include "dev.h"
+#include <asm/barrier.h>
 
 #define NVADSP_MAILBOX_START   512
 #define NVADSP_MAILBOX_MAX     1024
@@ -160,6 +161,7 @@ status_t nvadsp_mbox_open(struct nvadsp_mbox *mbox, uint16_t *mid,
                        ret = -EINVAL;
                        goto out;
                }
+               speculation_barrier();
                if (nvadsp_drv_data->mboxes[*mid]) {
                        pr_debug("%s: mailbox %d already opened.\n",
                                 __func__, *mid);