From 17e572445c0f801f4569abd3eadbaf385998161d Mon Sep 17 00:00:00 2001 From: Elena Reshetova Date: Thu, 4 Jan 2018 01:42:47 -0800 Subject: [PATCH] qla2xxx: prevent speculative execution Since the handle value in functions qlafx00_status_entry() and qlafx00_multistatus_entry() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve req->outstanding_cmds, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova Orabug: 27340445 CVE: CVE-2017-5753 Signed-off-by: Chuck Anderson Reviewed-by: John Haxby Signed-off-by: Kirtikar Kashyap --- drivers/scsi/qla2xxx/qla_mr.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c index 8e4c0131360c..be91550b8c72 100644 --- a/drivers/scsi/qla2xxx/qla_mr.c +++ b/drivers/scsi/qla2xxx/qla_mr.c @@ -2302,10 +2302,12 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt) req = ha->req_q_map[que]; /* Validate handle. */ - if (handle < req->num_outstanding_cmds) + if (handle < req->num_outstanding_cmds) { + osb(); sp = req->outstanding_cmds[handle]; - else + } else { sp = NULL; + } if (sp == NULL) { ql_dbg(ql_dbg_io, vha, 0x3034, @@ -2653,10 +2655,12 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha, req = ha->req_q_map[que]; /* Validate handle. */ - if (handle < req->num_outstanding_cmds) + if (handle < req->num_outstanding_cmds) { + osb(); sp = req->outstanding_cmds[handle]; - else + } else { sp = NULL; + } if (sp == NULL) { ql_dbg(ql_dbg_io, vha, 0x3044, -- 2.50.1