In the Linux kernel, the following vulnerability has been resolved:
powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
Smatch warns:
arch/powerpc/kernel/rtas.c:1932 _dosys_rtas() warn: potential spectre issue 'args.args' [r] (local cap)
The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copytouser() after they are subject to bounds checks.
Use arrayindexnospec() after the bounds checks to clamp these values for speculative execution.
{ "vanir_signatures": [ { "id": "CVE-2024-46774-1a2f0830", "signature_type": "Line", "target": { "file": "arch/powerpc/kernel/rtas.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "117061540458502978226021353847008450185", "38664397903050366240250113124846771475", "249529226863844397044835663141336693055", "190916402703427029026909792493492796055", "276198107666432415289477615813108352889", "211242009451719067135579792682729380254", "221131957656426454304932482996805759343" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0974d03eb479384466d828d65637814bee6b26d7" }, { "id": "CVE-2024-46774-405ec980", "signature_type": "Line", "target": { "file": "arch/powerpc/kernel/rtas.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "117061540458502978226021353847008450185", "38664397903050366240250113124846771475", "249529226863844397044835663141336693055", "190916402703427029026909792493492796055", "276198107666432415289477615813108352889", "211242009451719067135579792682729380254", "221131957656426454304932482996805759343" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@68d8156480940b79227d58865ec5d2947b9384a8" }, { "id": "CVE-2024-46774-59a43b8b", "signature_type": "Line", "target": { "file": "arch/powerpc/kernel/rtas.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "234178536011860589162588776072517748193", "269397585518943774619246192853311285230", "35142650357276686480193198380301091951", "65359201585613952704466589300912458643", "276198107666432415289477615813108352889", "211242009451719067135579792682729380254", "221131957656426454304932482996805759343" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1f1feff02e9da0dd0cdb195c428c42b5f9b6c771" }, { "id": "CVE-2024-46774-75ce6f45", "signature_type": "Line", "target": { "file": "arch/powerpc/kernel/rtas.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "210105100714043393132753234478541399899", "55506001346850484003550351797465199719", "32561140137441353565682376468454929567", "107383514317636928265724306251499194772", "276198107666432415289477615813108352889", "211242009451719067135579792682729380254", "221131957656426454304932482996805759343" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b137af795399d8b657bad1646c18561530f35ed1" }, { "id": "CVE-2024-46774-b563fd04", "signature_type": "Function", "target": { "file": "arch/powerpc/kernel/rtas.c", "function": "SYSCALL_DEFINE1" }, "signature_version": "v1", "digest": { "length": 1783.0, "function_hash": "68988983204434150434217211881906049624" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b137af795399d8b657bad1646c18561530f35ed1" }, { "id": "CVE-2024-46774-c14517e9", "signature_type": "Function", "target": { "file": "arch/powerpc/kernel/rtas.c", "function": "SYSCALL_DEFINE1" }, "signature_version": "v1", "digest": { "length": 1831.0, "function_hash": "130980667980114342871511553645850599697" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1f1feff02e9da0dd0cdb195c428c42b5f9b6c771" }, { "id": "CVE-2024-46774-dbac901d", "signature_type": "Function", "target": { "file": "arch/powerpc/kernel/rtas.c", "function": "SYSCALL_DEFINE1" }, "signature_version": "v1", "digest": { "length": 1946.0, "function_hash": "325666815806078184000630999491820543188" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0974d03eb479384466d828d65637814bee6b26d7" }, { "id": "CVE-2024-46774-e6e0f807", "signature_type": "Function", "target": { "file": "arch/powerpc/kernel/rtas.c", "function": "SYSCALL_DEFINE1" }, "signature_version": "v1", "digest": { "length": 1946.0, "function_hash": "325666815806078184000630999491820543188" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@68d8156480940b79227d58865ec5d2947b9384a8" } ] }