From bf08d4289bb8a13a5a7b15ffc09e6a4d215219ef Mon Sep 17 00:00:00 2001 From: Elena Reshetova Date: Wed, 30 Aug 2017 13:45:35 +0300 Subject: [PATCH 80/88] qla2xxx: prevent speculative execution CVE-2017-5753 (Spectre v1 Intel) Since the handle value in functions qlafx00_status_entry() and qlafx00_multistatus_entry() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve req->outstanding_cmds, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova Signed-off-by: Andy Whitcroft --- drivers/scsi/qla2xxx/qla_mr.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c index 10b742d27e16..15cb37b8a678 100644 --- a/drivers/scsi/qla2xxx/qla_mr.c +++ b/drivers/scsi/qla2xxx/qla_mr.c @@ -2304,10 +2304,12 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt) req = ha->req_q_map[que]; /* Validate handle. */ - if (handle < req->num_outstanding_cmds) + if (handle < req->num_outstanding_cmds) { + osb(); sp = req->outstanding_cmds[handle]; - else + } else { sp = NULL; + } if (sp == NULL) { ql_dbg(ql_dbg_io, vha, 0x3034, @@ -2655,10 +2657,12 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha, req = ha->req_q_map[que]; /* Validate handle. */ - if (handle < req->num_outstanding_cmds) + if (handle < req->num_outstanding_cmds) { + osb(); sp = req->outstanding_cmds[handle]; - else + } else { sp = NULL; + } if (sp == NULL) { ql_dbg(ql_dbg_io, vha, 0x3044, -- 2.15.1