github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-14 18:12:23 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
4d5f99ec00
linux/drivers/usb/gadget/function
History
Gustavo A. R. Silva 87f8db6581 usb: gadget: storage: Fix Spectre v1 vulnerability 
commit 9ae24af366 upstream.

num can be indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/usb/gadget/function/f_mass_storage.c:3177 fsg_lun_make() warn:
potential spectre issue 'fsg_opts->common->luns' [r] (local cap)

Fix this by sanitizing num before using it to index
fsg_opts->common->luns

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Felipe Balbi <felipe.balbi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-11-10 07:41:43 -08:00
..
f_acm.c ACM gadget: fix endianness in notifications 2017-03-30 09:35:16 +02:00
f_ecm.c
f_eem.c
f_fs.c usb: gadget: f_fs: Only return delayed status when len is 0 2018-07-28 07:45:03 +02:00
f_hid.c usb: gadget: f_hid: fix: Prevent accessing released memory 2018-04-08 11:51:56 +02:00
f_loopback.c
f_mass_storage.c usb: gadget: storage: Fix Spectre v1 vulnerability 2018-11-10 07:41:43 -08:00
f_mass_storage.h USB: g_mass_storage: Fix deadlock when driver is unbound 2017-10-12 11:27:32 +02:00
f_midi.c usb: gadget: define free_ep_req as universal function 2018-04-08 11:51:56 +02:00
f_ncm.c
f_obex.c
f_phonet.c
f_printer.c
f_rndis.c
f_serial.c
f_sourcesink.c usb: gadget: define free_ep_req as universal function 2018-04-08 11:51:56 +02:00
f_subset.c
f_uac1.c
f_uac2.c usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' 2018-09-05 09:18:34 +02:00
f_uvc.c usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed 2017-12-25 14:22:10 +01:00
f_uvc.h
g_zero.h usb: gadget: define free_ep_req as universal function 2018-04-08 11:51:56 +02:00
Makefile
ndis.h
rndis.c
rndis.h
storage_common.c
storage_common.h
u_ecm.h
u_eem.h
u_ether_configfs.h
u_ether.c
u_ether.h
u_fs.h
u_gether.h
u_hid.h
u_midi.h
u_ncm.h
u_phonet.h
u_printer.h
u_rndis.h
u_serial.c usb: gadget: serial: fix oops when data rx'd after close 2018-10-20 09:52:38 +02:00
u_serial.h
u_uac1.c
u_uac1.h
u_uac2.h
u_uvc.h
uvc_configfs.c usb: gadget: uvc: Missing files for configfs interface 2018-02-16 20:09:40 +01:00
uvc_configfs.h
uvc_queue.c
uvc_queue.h
uvc_v4l2.c
uvc_v4l2.h
uvc_video.c usb: gadget: composite: always set ep->mult to a sensible value 2017-01-12 11:22:51 +01:00
uvc_video.h
uvc.h