On October 16, 2018 10:52:58 AM PDT, "Gustavo A. R. Silva" <[email protected]> wrote: >Hi Dmitry, > >On 10/16/18 7:21 PM, Dmitry Torokhov wrote: >> Hi Gustavo, >> >> On Tue, Oct 16, 2018 at 01:13:13PM +0200, Gustavo A. R. Silva wrote: >>> setup.code can be indirectly controlled by user-space, hence leading >to >>> a potential exploitation of the Spectre variant 1 vulnerability. >>> >>> This issue was detected with the help of Smatch: >>> >>> drivers/input/misc/uinput.c:512 uinput_abs_setup() warn: potential >>> spectre issue 'dev->absinfo' [w] (local cap) >>> >>> Fix this by sanitizing setup.code before using it to index >dev->absinfo. >> >> So we are saying that attacker, by repeatedly calling ioctl(..., >> UI_ABS_SETUP, ...) will be able to poison branch predictor and >discover >> another program or kernel secrets? But uinput is a privileged >interface >> open to root only, as it allows injecting arbitrary keystrokes into >the >> kernel. And since only root can use uinput, meh? >> > >Oh I see... in that case this is a false positive. > >Although, I wonder if all these operations are only accessible to root: > >static const struct file_operations uinput_fops = { > .owner = THIS_MODULE, > .open = uinput_open, > .release = uinput_release, > .read = uinput_read, > .write = uinput_write, > .poll = uinput_poll, > .unlocked_ioctl = uinput_ioctl, >#ifdef CONFIG_COMPAT > .compat_ioctl = uinput_compat_ioctl, >#endif > .llseek = no_llseek, >};
/dev/uinput must be 0600, or accessible to equally privileged user, or you'll be opening your system to much mischief. Thanks. -- Dmitry
