qla2xxx: prevent speculative execution

Since the handle value in functions qlafx00_status_entry()
and qlafx00_multistatus_entry() seems to be controllable
by userspace and later on conditionally (upon bound check)
used to resolve req->outstanding_cmds, insert an observable
speculation barrier before its usage. This should prevent
observable speculation on that branch and avoid kernel
memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
index 8e4c0131360cc7a428153259f1dbb89e4b261f24..be91550b8c72b6741540b954018fa7e15632fedb 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_mr.c
+++ b/drivers/scsi/qla2xxx/qla_mr.c
@@ -2302,10 +2302,12 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)
        req = ha->req_q_map[que];
 
        /* Validate handle. */
-       if (handle < req->num_outstanding_cmds)
+       if (handle < req->num_outstanding_cmds) {
+               osb();
                sp = req->outstanding_cmds[handle];
-       else
+       } else {
                sp = NULL;
+       }
 
        if (sp == NULL) {
                ql_dbg(ql_dbg_io, vha, 0x3034,
@@ -2653,10 +2655,12 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha,
                req = ha->req_q_map[que];
 
                /* Validate handle. */
-               if (handle < req->num_outstanding_cmds)
+               if (handle < req->num_outstanding_cmds) {
+                       osb();
                        sp = req->outstanding_cmds[handle];
-               else
+               } else {
                        sp = NULL;
+               }
 
                if (sp == NULL) {
                        ql_dbg(ql_dbg_io, vha, 0x3044,