From c79dd8ba507c379828d6a303a67b067cf4e0bb40 Mon Sep 17 00:00:00 2001 From: David Gilhooley Date: Fri, 15 Dec 2017 09:59:17 -0800 Subject: [PATCH] platform: nvadsp: prevent speculative load related leak Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem, insert speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: I5a745320b64bf6689cf8ac4b713cf1b32f662a23 Signed-off-by: David Gilhooley Reviewed-on: https://git-master.nvidia.com/r/1640352 Reviewed-by: Bharat Nihalani Reviewed-by: Ajay Nandakumar M Reviewed-by: Sachin Nikam Tested-by: Sachin Nikam GVS: Gerrit_Virtual_Submit Reviewed-by: mobile promotions Tested-by: mobile promotions --- drivers/platform/tegra/nvadsp/mailbox.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/platform/tegra/nvadsp/mailbox.c b/drivers/platform/tegra/nvadsp/mailbox.c index 8c2d2c9a..06e2159c 100644 --- a/drivers/platform/tegra/nvadsp/mailbox.c +++ b/drivers/platform/tegra/nvadsp/mailbox.c @@ -1,7 +1,7 @@ /* * ADSP mailbox manager * - * Copyright (c) 2014-2017, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2014-2018, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -14,6 +14,7 @@ */ #include "dev.h" +#include #define NVADSP_MAILBOX_START 512 #define NVADSP_MAILBOX_MAX 1024 @@ -184,6 +185,7 @@ status_t nvadsp_mbox_open(struct nvadsp_mbox *mbox, uint16_t *mid, ret = -ERANGE; goto out; } + speculation_barrier(); if (nvadsp_drv_data->mboxes[*mid]) { pr_debug("%s: mailbox %d already opened.\n", __func__, *mid);