platform: nvadsp: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem, insert speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: I5a745320b64bf6689cf8ac4b713cf1b32f662a23 Signed-off-by: David Gilhooley <dgilhooley@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/1640352 Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com> Reviewed-by: Ajay Nandakumar M <anandakumarm@nvidia.com> Reviewed-by: Sachin Nikam <snikam@nvidia.com> Tested-by: Sachin Nikam <snikam@nvidia.com> GVS: Gerrit_Virtual_Submit Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
2025-12-25 02:32:08 +03:00 · 2017-12-15 09:59:17 -08:00
parent 562a14e11b
commit c79dd8ba50
1 changed files with 3 additions and 1 deletions
--- a/drivers/platform/tegra/nvadsp/mailbox.c
+++ b/drivers/platform/tegra/nvadsp/mailbox.c
@@ -1,7 +1,7 @@
 /*
 * ADSP mailbox manager
 *
- * Copyright (c) 2014-2017, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2014-2018, NVIDIA CORPORATION.  All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
@@ -14,6 +14,7 @@
 */

 #include "dev.h"
+#include <asm/barrier.h>

 #define NVADSP_MAILBOX_START	512
 #define NVADSP_MAILBOX_MAX	1024
@@ -184,6 +185,7 @@ status_t nvadsp_mbox_open(struct nvadsp_mbox *mbox, uint16_t *mid,
 			ret = -ERANGE;
 			goto out;
 		}
+		speculation_barrier();
 		if (nvadsp_drv_data->mboxes[*mid]) {
 			pr_debug("%s: mailbox %d already opened.\n",
 				 __func__, *mid);