[PATCH net] xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()
@ 2023-01-20 13:02 Eric Dumazet
  2023-01-20 15:40 ` Dmitry Safonov
  2023-01-24 10:38 ` Steffen Klassert
  0 siblings, 2 replies; 3+ messages in thread
From: Eric Dumazet @ 2023-01-20 13:02 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski, Paolo Abeni
  Cc: netdev, eric.dumazet, Eric Dumazet, Dmitry Safonov,
	Steffen Klassert

  int type = nla_type(nla);

  if (type > XFRMA_MAX) {
            return -EOPNOTSUPP;
  }

@type is then used as an array index and can be used
as a Spectre v1 gadget.

  if (nla_len(nla) < compat_policy[type].len) {

array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.

Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Dmitry Safonov <dima@arista.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_compat.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
index a0f62fa02e06e0aa97901aaf226dc84895f6a8ec..46bb239e4f06d56abbf3deecd89ac26625efb560 100644
--- a/net/xfrm/xfrm_compat.c
+++ b/net/xfrm/xfrm_compat.c
@@ -5,6 +5,7 @@
  * Based on code and translator idea by: Florian Westphal <fw@strlen.de>
  */
 #include <linux/compat.h>
+#include <linux/nospec.h>
 #include <linux/xfrm.h>
 #include <net/xfrm.h>
 
@@ -437,6 +438,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla,
 		NL_SET_ERR_MSG(extack, "Bad attribute");
 		return -EOPNOTSUPP;
 	}
+	type = array_index_nospec(type, XFRMA_MAX + 1);
 	if (nla_len(nla) < compat_policy[type].len) {
 		NL_SET_ERR_MSG(extack, "Attribute bad length");
 		return -EOPNOTSUPP;
-- 
2.39.1.405.gd4c25cc71f-goog


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()
  2023-01-20 13:02 [PATCH net] xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr() Eric Dumazet
@ 2023-01-20 15:40 ` Dmitry Safonov
  2023-01-24 10:38 ` Steffen Klassert
  1 sibling, 0 replies; 3+ messages in thread
From: Dmitry Safonov @ 2023-01-20 15:40 UTC (permalink / raw)
  To: Eric Dumazet, Jakub Kicinski
  Cc: netdev, eric.dumazet, Steffen Klassert, David S . Miller,
	Paolo Abeni

On 1/20/23 13:02, Eric Dumazet wrote:
>   int type = nla_type(nla);
> 
>   if (type > XFRMA_MAX) {
>             return -EOPNOTSUPP;
>   }
> 
> @type is then used as an array index and can be used
> as a Spectre v1 gadget.
> 
>   if (nla_len(nla) < compat_policy[type].len) {
> 
> array_index_nospec() can be used to prevent leaking
> content of kernel memory to malicious users.
> 
> Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Dmitry Safonov <dima@arista.com>
> Cc: Steffen Klassert <steffen.klassert@secunet.com>

Reviewed-by: Dmitry Safonov <dima@arista.com>

Thanks, Eric!

> ---
>  net/xfrm/xfrm_compat.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
> index a0f62fa02e06e0aa97901aaf226dc84895f6a8ec..46bb239e4f06d56abbf3deecd89ac26625efb560 100644
> --- a/net/xfrm/xfrm_compat.c
> +++ b/net/xfrm/xfrm_compat.c
> @@ -5,6 +5,7 @@
>   * Based on code and translator idea by: Florian Westphal <fw@strlen.de>
>   */
>  #include <linux/compat.h>
> +#include <linux/nospec.h>
>  #include <linux/xfrm.h>
>  #include <net/xfrm.h>
>  
> @@ -437,6 +438,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla,
>  		NL_SET_ERR_MSG(extack, "Bad attribute");
>  		return -EOPNOTSUPP;
>  	}
> +	type = array_index_nospec(type, XFRMA_MAX + 1);
>  	if (nla_len(nla) < compat_policy[type].len) {
>  		NL_SET_ERR_MSG(extack, "Attribute bad length");
>  		return -EOPNOTSUPP;

-- 
          Dmitry


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()
  2023-01-20 13:02 [PATCH net] xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr() Eric Dumazet
  2023-01-20 15:40 ` Dmitry Safonov
@ 2023-01-24 10:38 ` Steffen Klassert
  1 sibling, 0 replies; 3+ messages in thread
From: Steffen Klassert @ 2023-01-24 10:38 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, netdev,
	eric.dumazet, Dmitry Safonov

On Fri, Jan 20, 2023 at 01:02:49PM +0000, Eric Dumazet wrote:
>   int type = nla_type(nla);
> 
>   if (type > XFRMA_MAX) {
>             return -EOPNOTSUPP;
>   }
> 
> @type is then used as an array index and can be used
> as a Spectre v1 gadget.
> 
>   if (nla_len(nla) < compat_policy[type].len) {
> 
> array_index_nospec() can be used to prevent leaking
> content of kernel memory to malicious users.
> 
> Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Dmitry Safonov <dima@arista.com>
> Cc: Steffen Klassert <steffen.klassert@secunet.com>

Applied to the ipsec tree, thanks a lot Eric!

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2023-01-24 10:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-20 13:02 [PATCH net] xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr() Eric Dumazet
2023-01-20 15:40 ` Dmitry Safonov
2023-01-24 10:38 ` Steffen Klassert

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).