host1x: prevent speculative load related leak
Jeetesh Burman [Thu, 19 Apr 2018 15:57:20 +0000 (20:57 +0530)]
Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ifc618c00cee497e6d84cac01a9b73fcecbe8f260
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650036
(cherry picked from commit 164f8684deb5b15a53c60a60c7d9b8e3bf5af5be)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682714
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698611
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

drivers/video/tegra/host/host1x/host1x.c

index 5222194..6af16ba 100644 (file)
@@ -33,6 +33,8 @@
 #include <linux/tegra-soc.h>
 #include <linux/tegra_pm_domains.h>
 
+#include <linux/version.h>
+#include <asm/barrier.h>
 #include "dev.h"
 #include <trace/events/nvhost.h>
 
@@ -267,6 +269,8 @@ static int nvhost_ioctl_ctrl_module_mutex(struct nvhost_ctrl_userctx *ctx,
            args->lock > 1)
                return -EINVAL;
 
+       speculation_barrier();
+
        trace_nvhost_ioctl_ctrl_module_mutex(args->lock, args->id);
        if (args->lock && !ctx->mod_locks[args->id]) {
                if (args->id == 0)
@@ -379,6 +383,7 @@ static int nvhost_ioctl_ctrl_syncpt_read_max(struct nvhost_ctrl_userctx *ctx,
 {
        if (args->id >= nvhost_syncpt_nb_pts(&ctx->dev->syncpt))
                return -EINVAL;
+       speculation_barrier();
        args->value = nvhost_syncpt_read_max(&ctx->dev->syncpt, args->id);
        return 0;
 }