From: Chen Jiahao chenjiahao16@huawei.com
hulk inclusion category: bugfix bugzilla: 186460, https://gitee.com/src-openeuler/kernel/issues/I53MHA CVE: CVE-2022-23960
--------------------------------
In cpufeature.c, when num is set to ARM64_SPECTRE_BHB, it should not be passed to cpu_hwcap_keys, otherwise the out-of-range error would happen as below:
UBSAN: Undefined behaviour in arch/arm64/kernel/cpufeature.c:1742:3 index 40 is out of range for type 'static_key_false [39]' CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.90+ #1 Call trace: dump_backtrace+0x0/0x390 show_stack+0x24/0x30 dump_stack+0x130/0x188 ubsan_epilogue+0x14/0xa4 __ubsan_handle_out_of_bounds+0x144/0x184 __enable_cpu_capabilities+0x158/0x1d4 setup_cpu_features+0x34/0xc8 smp_cpus_done+0x44/0x13c smp_init+0x188/0x1a4 kernel_init_freeable+0x454/0x974 kernel_init+0x18/0x150 ret_from_fork+0x10/0x18
Because KABI cpu_hwcap_keys is consistent and defined with length ARM64_NCAPS, which is smaller than ARM64_SPECTRE_BHB.
Fixes: 2df7cf898c5b ("arm64: fix extra cpucaps setup problem") Signed-off-by: Chen Jiahao chenjiahao16@huawei.com Reviewed-by: Liao Chang liaochang1@huawei.com Reviewed-by: Zhang Jianhua chris.zjh@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- arch/arm64/kernel/cpufeature.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 996d3476f3c8..d7d8a4ab94b4 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1732,8 +1732,10 @@ __enable_cpu_capabilities(const struct arm64_cpu_capabilities *caps, for (; caps->matches; caps++) { unsigned int num = caps->capability;
- if (num == ARM64_SPECTRE_BHB) + if (num == ARM64_SPECTRE_BHB) { set_cap_spectre_bhb = true; + continue; + }
if (!(caps->type & scope_mask) || !cpus_have_cap(num)) continue;