platform: nvadsp: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem, use array_index_nospec. Bug 2060857 CVE-2017-5753 Change-Id: I3b79ab2df0cff5eb7f94f8056cfdfb98ac69037a Signed-off-by: David Gilhooley <dgilhooley@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/1684649 Reviewed-by: Bo Yan <byan@nvidia.com> Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com> GVS: Gerrit_Virtual_Submit Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
2025-12-24 10:11:26 +03:00 · 2018-03-29 14:27:38 -07:00
parent c844c3a973
commit d56b0972b0
1 changed files with 4 additions and 1 deletions
--- a/drivers/platform/tegra/nvadsp/mailbox.c
+++ b/drivers/platform/tegra/nvadsp/mailbox.c
@@ -14,6 +14,7 @@
 */

 #include "dev.h"
+#include <linux/nospec.h>
 #include <asm/barrier.h>

 #define NVADSP_MAILBOX_START	512
@@ -187,7 +188,9 @@ status_t nvadsp_mbox_open(struct nvadsp_mbox *mbox, uint16_t *mid,
 			ret = -ERANGE;
 			goto out;
 		}
-		speculation_barrier();
+
+		*mid = array_index_nospec(*mid, NVADSP_MAILBOX_MAX);
+
 		if (nvadsp_drv_data->mboxes[*mid]) {
 			pr_debug("%s: mailbox %d already opened.\n",
 				 __func__, *mid);