From b7b26691c72f23cb12e19cf5cc53ba1d1af59388 Mon Sep 17 00:00:00 2001 From: Elena Reshetova Date: Thu, 4 Jan 2018 01:53:58 -0800 Subject: [PATCH] Thermal/int340x: prevent speculative execution Since the trip value in function int340x_thermal_get_trip_temp() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve d->aux_trips, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova Orabug: 27340445 CVE: CVE-2017-5753 Signed-off-by: Chuck Anderson Conflicts: patch refers to arch/x86/include/asm/msr-index.h code base has arch/x86/include/uapi/asm/msr-index.h Reviewed-by: John Haxby Signed-off-by: Kirtikar Kashyap --- .../thermal/int340x_thermal/int340x_thermal_zone.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c index 1e25133d35e2..505c3d2a7ab6 100644 --- a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c +++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c @@ -57,15 +57,16 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone, if (d->override_ops && d->override_ops->get_trip_temp) return d->override_ops->get_trip_temp(zone, trip, temp); - if (trip < d->aux_trip_nr) + if (trip < d->aux_trip_nr) { + osb(); *temp = d->aux_trips[trip]; - else if (trip == d->crt_trip_id) + } else if (trip == d->crt_trip_id) { *temp = d->crt_temp; - else if (trip == d->psv_trip_id) + } else if (trip == d->psv_trip_id) { *temp = d->psv_temp; - else if (trip == d->hot_trip_id) + } else if (trip == d->hot_trip_id) { *temp = d->hot_temp; - else { + } else { for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) { if (d->act_trips[i].valid && d->act_trips[i].id == trip) { -- 2.50.1