Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / kernel / common / 3a2af7cccbbaf2362db9053a946a6084e12bfa73
commit3a2af7cccbbaf2362db9053a946a6084e12bfa73[log] [tgz]
authorJinbum Park <jinb.park7@gmail.com>Tue Jul 31 23:10:40 2018 +0900
committerJohannes Berg <johannes.berg@intel.com>Tue Aug 28 11:14:56 2018 +0200
treef2d2335e8f2e74b528d4ee0648a721505b342ef6
parent20932750d9c78d307e4f2f18f9c6a32b82b1e0e8 [diff]
mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom

User controls @idx which to be used as index of hwsim_world_regdom_custom.
So, It can be exploited via Spectre-like attack. (speculative execution)

This kind of attack leaks address of hwsim_world_regdom_custom,
It leads an attacker to bypass security mechanism such as KASLR.

So sanitize @idx before using it to prevent attack.

I leveraged strategy [1] to find and exploit this gadget.

[1] https://github.com/jinb-park/linux-exploit/tree/master/exploit-remaining-spectre-gadget/

Signed-off-by: Jinbum Park <jinb.park7@gmail.com>
[johannes: unwrap URL]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1 file changed
tree: f2d2335e8f2e74b528d4ee0648a721505b342ef6
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .clang-format
  25. .cocciconfig
  26. .get_maintainer.ignore
  27. .gitattributes
  28. .gitignore
  29. .mailmap
  30. COPYING
  31. CREDITS
  32. Kbuild
  33. Kconfig
  34. MAINTAINERS
  35. Makefile
  36. README