User controls @event_id which to be used as index of perf_swevent_enabled. So, It can be exploited via Spectre-like attack. (speculative execution)
So sanitize @event_id before using it to prevent attack. I leveraged strategy [1] to find this gadget. [1] https://github.com/jinb-park/linux-exploit/ tree/master/exploit-remaining-spectre-gadget/ Signed-off-by: Jinbum Park <jinb.pa...@gmail.com> --- kernel/events/core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c index f6ea33a..3313552 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -50,6 +50,7 @@ #include <linux/sched/mm.h> #include <linux/proc_ns.h> #include <linux/mount.h> +#include <linux/nospec.h> #include "internal.h" @@ -8200,6 +8201,7 @@ static int perf_swevent_init(struct perf_event *event) if (err) return err; + event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX); static_key_slow_inc(&perf_swevent_enabled[event_id]); event->destroy = sw_perf_event_destroy; } -- 1.9.1
