Commit c64ca00e authored Apr 20, 2018 by Peter Zijlstra Committed by Greg Kroah-Hartman May 16, 2018

perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]



commit 4411ec1d1993e8dbff2898390e3fed280d88e446 upstream.

> kernel/events/ring_buffer.c:871 perf_mmap_to_page() warn: potential spectre issue 'rb->aux_pages'

Userspace controls @pgoff through the fault address. Sanitize the
array index before doing the array dereference.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 5edbd2d8

kernel/events/ring_buffer.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -14,6 +14,7 @@
		#include <linux/slab.h>
		#include <linux/circ_buf.h>
		#include <linux/poll.h>
		#include <linux/nospec.h>

		#include "internal.h"

		@@ -844,8 +845,10 @@ perf_mmap_to_page(struct ring_buffer *rb, unsigned long pgoff)
		return NULL;

		/* AUX space */
		if (pgoff >= rb->aux_pgoff)
		return virt_to_page(rb->aux_pages[pgoff - rb->aux_pgoff]);
		if (pgoff >= rb->aux_pgoff) {
		int aux_pgoff = array_index_nospec(pgoff - rb->aux_pgoff, rb->aux_nr_pages);
		return virt_to_page(rb->aux_pages[aux_pgoff]);
		}
		}

		return __perf_mmap_to_page(rb, pgoff);