Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability | linux-input

[PATCH] Input: uinput - fix Spectre v1 vulnerability · Gustavo A. R. Silva <hidden> · 2018-10-16
Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability · Dmitry Torokhov <dmitry.torokhov@gmail.com> · 2018-10-16
Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability · Gustavo A. R. Silva <hidden> · 2018-10-16
Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability · Dmitry Torokhov <dmitry.torokhov@gmail.com> · 2018-10-16
Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability · Gustavo A. R. Silva <hidden> · 2018-10-16
Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability · Alan Cox <hidden> · 2018-10-18
Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability · Dmitry Torokhov <dmitry.torokhov@gmail.com> · 2018-10-18
Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability · Pavel Machek <hidden> · 2018-10-22

Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date: 2018-10-16 17:34:11
Also in: lkml

Hi Gustavo,

On Tue, Oct 16, 2018 at 01:13:13PM +0200, Gustavo A. R. Silva wrote:

setup.code can be indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/input/misc/uinput.c:512 uinput_abs_setup() warn: potential
spectre issue 'dev->absinfo' [w] (local cap)

Fix this by sanitizing setup.code before using it to index dev->absinfo.

So we are saying that attacker, by repeatedly calling ioctl(...,
UI_ABS_SETUP, ...) will be able to poison branch predictor and discover
another program or kernel secrets? But uinput is a privileged interface
open to root only, as it allows injecting arbitrary keystrokes into the
kernel. And since only root can use uinput, meh?

Thanks.

-- 
Dmitry

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help