From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sergei Shtylyov Subject: Re: [PATCH 13/18] ipv6: prevent bounds-check bypass via speculative execution Date: Sat, 6 Jan 2018 13:04:05 +0300 Message-ID: <9df738f5-65d9-4560-4b8b-120813a203ce@cogentembedded.com> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520106487.32271.6013001625427346680.stgit@dwillia2-desk3.amr.corp.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <151520106487.32271.6013001625427346680.stgit@dwillia2-desk3.amr.corp.intel.com> Content-Language: en-US Sender: netdev-owner@vger.kernel.org To: Dan Williams , linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, Hideaki YOSHIFUJI , netdev@vger.kernel.org, peterz@infradead.org, gregkh@linuxfoundation.org, Alexey Kuznetsov , tglx@linutronix.de, torvalds@linux-foundation.org, "David S. Miller" , Elena Reshetova , alan@linux.intel.com List-Id: linux-arch.vger.kernel.org On 1/6/2018 4:11 AM, Dan Williams wrote: > Static analysis reports that 'offset' may be a user controlled value > that is used as a data dependency reading from a raw6_frag_vec buffer. > In order to avoid potential leaks of kernel memory values, block > speculative execution of the instruction stream that could issue further > reads based on an invalid '*(rfv->c + offset)' value. > > Based on an original patch by Elena Reshetova. > > Cc: "David S. Miller" > Cc: Alexey Kuznetsov > Cc: Hideaki YOSHIFUJI > Cc: netdev@vger.kernel.org > Signed-off-by: Elena Reshetova > Signed-off-by: Dan Williams > --- > net/ipv6/raw.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c > index 761a473a07c5..384e3d59d148 100644 > --- a/net/ipv6/raw.c > +++ b/net/ipv6/raw.c [...] > @@ -725,17 +726,17 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd, > struct sk_buff *skb) > { > struct raw6_frag_vec *rfv = from; > + char *rfv_buf; > > - if (offset < rfv->hlen) { > + if ((rfv_buf = nospec_array_ptr(rfv->c, offset, rfv->hlen))) { And here... > int copy = min(rfv->hlen - offset, len); > > if (skb->ip_summed == CHECKSUM_PARTIAL) > - memcpy(to, rfv->c + offset, copy); > + memcpy(to, rfv_buf, copy); > else > skb->csum = csum_block_add( > skb->csum, > - csum_partial_copy_nocheck(rfv->c + offset, > - to, copy, 0), > + csum_partial_copy_nocheck(rfv_buf, to, copy, 0), > odd); > > odd = 0; MBR, Sergei From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lf0-f68.google.com ([209.85.215.68]:41171 "EHLO mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752826AbeAFKEH (ORCPT ); Sat, 6 Jan 2018 05:04:07 -0500 Received: by mail-lf0-f68.google.com with SMTP id h137so7505771lfe.8 for ; Sat, 06 Jan 2018 02:04:07 -0800 (PST) Subject: Re: [PATCH 13/18] ipv6: prevent bounds-check bypass via speculative execution References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520106487.32271.6013001625427346680.stgit@dwillia2-desk3.amr.corp.intel.com> From: Sergei Shtylyov Message-ID: <9df738f5-65d9-4560-4b8b-120813a203ce@cogentembedded.com> Date: Sat, 6 Jan 2018 13:04:05 +0300 MIME-Version: 1.0 In-Reply-To: <151520106487.32271.6013001625427346680.stgit@dwillia2-desk3.amr.corp.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-arch-owner@vger.kernel.org List-ID: To: Dan Williams , linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, Hideaki YOSHIFUJI , netdev@vger.kernel.org, peterz@infradead.org, gregkh@linuxfoundation.org, Alexey Kuznetsov , tglx@linutronix.de, torvalds@linux-foundation.org, "David S. Miller" , Elena Reshetova , alan@linux.intel.com Message-ID: <20180106100405.rGsRbpYCP16w_clTL1bYUDeEzzyLf_gJVAOYCRB6LPw@z> On 1/6/2018 4:11 AM, Dan Williams wrote: > Static analysis reports that 'offset' may be a user controlled value > that is used as a data dependency reading from a raw6_frag_vec buffer. > In order to avoid potential leaks of kernel memory values, block > speculative execution of the instruction stream that could issue further > reads based on an invalid '*(rfv->c + offset)' value. > > Based on an original patch by Elena Reshetova. > > Cc: "David S. Miller" > Cc: Alexey Kuznetsov > Cc: Hideaki YOSHIFUJI > Cc: netdev@vger.kernel.org > Signed-off-by: Elena Reshetova > Signed-off-by: Dan Williams > --- > net/ipv6/raw.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c > index 761a473a07c5..384e3d59d148 100644 > --- a/net/ipv6/raw.c > +++ b/net/ipv6/raw.c [...] > @@ -725,17 +726,17 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd, > struct sk_buff *skb) > { > struct raw6_frag_vec *rfv = from; > + char *rfv_buf; > > - if (offset < rfv->hlen) { > + if ((rfv_buf = nospec_array_ptr(rfv->c, offset, rfv->hlen))) { And here... > int copy = min(rfv->hlen - offset, len); > > if (skb->ip_summed == CHECKSUM_PARTIAL) > - memcpy(to, rfv->c + offset, copy); > + memcpy(to, rfv_buf, copy); > else > skb->csum = csum_block_add( > skb->csum, > - csum_partial_copy_nocheck(rfv->c + offset, > - to, copy, 0), > + csum_partial_copy_nocheck(rfv_buf, to, copy, 0), > odd); > > odd = 0; MBR, Sergei