* [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets
@ 2018-07-27 22:43 Jeremy Cline
2018-07-27 22:43 ` [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall Jeremy Cline
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Jeremy Cline @ 2018-07-27 22:43 UTC (permalink / raw)
To: David S . Miller; +Cc: netdev, linux-kernel, Josh Poimboeuf, Jeremy Cline
Hi folks,
This fixes a pair of potential spectre v1 gadgets.
Note that because the speculation window is large, the policy is to stop
the speculative out-of-bounds load and not worry if the attack can be
completed with a dependent load or store[0].
[0] https://marc.info/?l=linux-kernel&m=152449131114778
Jeremy Cline (2):
net: socket: fix potential spectre v1 gadget in socketcall
net: socket: Fix potential spectre v1 gadget in sock_is_registered
net/socket.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--
2.17.1
^ permalink raw reply [flat|nested] 9+ messages in thread* [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall 2018-07-27 22:43 [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets Jeremy Cline @ 2018-07-27 22:43 ` Jeremy Cline 2018-07-29 13:59 ` Josh Poimboeuf 2018-07-27 22:43 ` [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered Jeremy Cline 2018-07-29 5:45 ` [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets David Miller 2 siblings, 1 reply; 9+ messages in thread From: Jeremy Cline @ 2018-07-27 22:43 UTC (permalink / raw) To: David S . Miller Cc: netdev, linux-kernel, Josh Poimboeuf, Jeremy Cline, stable 'call' is a user-controlled value, so sanitize the array index after the bounds check to avoid speculating past the bounds of the 'nargs' array. Found with the help of Smatch: net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue 'nargs' [r] (local cap) Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Jeremy Cline <jcline@redhat.com> --- net/socket.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/socket.c b/net/socket.c index 3015ddace71e..f15d5cbb3ba4 100644 --- a/net/socket.c +++ b/net/socket.c @@ -89,6 +89,7 @@ #include <linux/magic.h> #include <linux/slab.h> #include <linux/xattr.h> +#include <linux/nospec.h> #include <linux/uaccess.h> #include <asm/unistd.h> @@ -2504,6 +2505,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) if (call < 1 || call > SYS_SENDMMSG) return -EINVAL; + call = array_index_nospec(call, SYS_SENDMMSG + 1); len = nargs[call]; if (len > sizeof(a)) -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall 2018-07-27 22:43 ` [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall Jeremy Cline @ 2018-07-29 13:59 ` Josh Poimboeuf 0 siblings, 0 replies; 9+ messages in thread From: Josh Poimboeuf @ 2018-07-29 13:59 UTC (permalink / raw) To: Jeremy Cline; +Cc: David S . Miller, netdev, linux-kernel, stable On Fri, Jul 27, 2018 at 10:43:01PM +0000, Jeremy Cline wrote: > 'call' is a user-controlled value, so sanitize the array index after the > bounds check to avoid speculating past the bounds of the 'nargs' array. > > Found with the help of Smatch: > > net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue > 'nargs' [r] (local cap) > > Cc: Josh Poimboeuf <jpoimboe@redhat.com> > Cc: stable@vger.kernel.org > Signed-off-by: Jeremy Cline <jcline@redhat.com> > --- > net/socket.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/socket.c b/net/socket.c > index 3015ddace71e..f15d5cbb3ba4 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -89,6 +89,7 @@ > #include <linux/magic.h> > #include <linux/slab.h> > #include <linux/xattr.h> > +#include <linux/nospec.h> > > #include <linux/uaccess.h> > #include <asm/unistd.h> > @@ -2504,6 +2505,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) > > if (call < 1 || call > SYS_SENDMMSG) > return -EINVAL; > + call = array_index_nospec(call, SYS_SENDMMSG + 1); > > len = nargs[call]; > if (len > sizeof(a)) Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com> -- Josh ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered 2018-07-27 22:43 [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets Jeremy Cline 2018-07-27 22:43 ` [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall Jeremy Cline @ 2018-07-27 22:43 ` Jeremy Cline 2018-07-29 13:59 ` Josh Poimboeuf 2018-07-29 5:45 ` [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets David Miller 2 siblings, 1 reply; 9+ messages in thread From: Jeremy Cline @ 2018-07-27 22:43 UTC (permalink / raw) To: David S . Miller Cc: netdev, linux-kernel, Josh Poimboeuf, Jeremy Cline, stable 'family' can be a user-controlled value, so sanitize it after the bounds check to avoid speculative out-of-bounds access. Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Jeremy Cline <jcline@redhat.com> --- net/socket.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/socket.c b/net/socket.c index f15d5cbb3ba4..608e29ae6baf 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister); bool sock_is_registered(int family) { - return family < NPROTO && rcu_access_pointer(net_families[family]); + return family < NPROTO && + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); } static int __init sock_init(void) -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered 2018-07-27 22:43 ` [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered Jeremy Cline @ 2018-07-29 13:59 ` Josh Poimboeuf 2018-07-29 15:59 ` Jeremy Cline 0 siblings, 1 reply; 9+ messages in thread From: Josh Poimboeuf @ 2018-07-29 13:59 UTC (permalink / raw) To: Jeremy Cline; +Cc: David S . Miller, netdev, linux-kernel, stable On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote: > 'family' can be a user-controlled value, so sanitize it after the bounds > check to avoid speculative out-of-bounds access. > > Cc: Josh Poimboeuf <jpoimboe@redhat.com> > Cc: stable@vger.kernel.org > Signed-off-by: Jeremy Cline <jcline@redhat.com> > --- > net/socket.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/socket.c b/net/socket.c > index f15d5cbb3ba4..608e29ae6baf 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister); > > bool sock_is_registered(int family) > { > - return family < NPROTO && rcu_access_pointer(net_families[family]); > + return family < NPROTO && > + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); > } > > static int __init sock_init(void) This is another one where I think it would be better to do the nospec clamp higher up the call chain. The untrusted 'family' value comes from __sock_diag_cmd(): __sock_diag_cmd sock_load_diag_module sock_is_registered That function has a bounds check, and also uses the value in some other array accesses: if (req->sdiag_family >= AF_MAX) return -EINVAL; if (sock_diag_handlers[req->sdiag_family] == NULL) sock_load_diag_module(req->sdiag_family, 0); mutex_lock(&sock_diag_table_mutex); hndl = sock_diag_handlers[req->sdiag_family]; ... So I think clamping 'req->sdiag_family' right after the bounds check would be the way to go. -- Josh ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered 2018-07-29 13:59 ` Josh Poimboeuf @ 2018-07-29 15:59 ` Jeremy Cline 2018-08-13 17:16 ` Josh Poimboeuf 0 siblings, 1 reply; 9+ messages in thread From: Jeremy Cline @ 2018-07-29 15:59 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: David S . Miller, netdev, linux-kernel, stable On 07/29/2018 09:59 AM, Josh Poimboeuf wrote: > On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote: >> 'family' can be a user-controlled value, so sanitize it after the bounds >> check to avoid speculative out-of-bounds access. >> >> Cc: Josh Poimboeuf <jpoimboe@redhat.com> >> Cc: stable@vger.kernel.org >> Signed-off-by: Jeremy Cline <jcline@redhat.com> >> --- >> net/socket.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/net/socket.c b/net/socket.c >> index f15d5cbb3ba4..608e29ae6baf 100644 >> --- a/net/socket.c >> +++ b/net/socket.c >> @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister); >> >> bool sock_is_registered(int family) >> { >> - return family < NPROTO && rcu_access_pointer(net_families[family]); >> + return family < NPROTO && >> + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); >> } >> >> static int __init sock_init(void) > > This is another one where I think it would be better to do the nospec > clamp higher up the call chain. The untrusted 'family' value comes from > __sock_diag_cmd(): > > __sock_diag_cmd > sock_load_diag_module > sock_is_registered > > That function has a bounds check, and also uses the value in some other > array accesses: > > if (req->sdiag_family >= AF_MAX) > return -EINVAL; > > if (sock_diag_handlers[req->sdiag_family] == NULL) > sock_load_diag_module(req->sdiag_family, 0); > > mutex_lock(&sock_diag_table_mutex); > hndl = sock_diag_handlers[req->sdiag_family]; > ... > > So I think clamping 'req->sdiag_family' right after the bounds check > would be the way to go. > Indeed, the clamp there would cover this clamp. I had a scheme that I quickly fix all the gadgets in functions with local comparisons, but clearly that's going to result in call chains with multiple clamps. I can fix this in a follow-up with a clamp here, or respin this patch set, whatever is easier for David. Thanks for the review! ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered 2018-07-29 15:59 ` Jeremy Cline @ 2018-08-13 17:16 ` Josh Poimboeuf 2018-08-13 19:03 ` Jeremy Cline 0 siblings, 1 reply; 9+ messages in thread From: Josh Poimboeuf @ 2018-08-13 17:16 UTC (permalink / raw) To: Jeremy Cline; +Cc: David S . Miller, netdev, linux-kernel, stable On Sun, Jul 29, 2018 at 11:59:36AM -0400, Jeremy Cline wrote: > On 07/29/2018 09:59 AM, Josh Poimboeuf wrote: > > On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote: > >> 'family' can be a user-controlled value, so sanitize it after the bounds > >> check to avoid speculative out-of-bounds access. > >> > >> Cc: Josh Poimboeuf <jpoimboe@redhat.com> > >> Cc: stable@vger.kernel.org > >> Signed-off-by: Jeremy Cline <jcline@redhat.com> > >> --- > >> net/socket.c | 3 ++- > >> 1 file changed, 2 insertions(+), 1 deletion(-) > >> > >> diff --git a/net/socket.c b/net/socket.c > >> index f15d5cbb3ba4..608e29ae6baf 100644 > >> --- a/net/socket.c > >> +++ b/net/socket.c > >> @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister); > >> > >> bool sock_is_registered(int family) > >> { > >> - return family < NPROTO && rcu_access_pointer(net_families[family]); > >> + return family < NPROTO && > >> + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); > >> } > >> > >> static int __init sock_init(void) > > > > This is another one where I think it would be better to do the nospec > > clamp higher up the call chain. The untrusted 'family' value comes from > > __sock_diag_cmd(): > > > > __sock_diag_cmd > > sock_load_diag_module > > sock_is_registered > > > > That function has a bounds check, and also uses the value in some other > > array accesses: > > > > if (req->sdiag_family >= AF_MAX) > > return -EINVAL; > > > > if (sock_diag_handlers[req->sdiag_family] == NULL) > > sock_load_diag_module(req->sdiag_family, 0); > > > > mutex_lock(&sock_diag_table_mutex); > > hndl = sock_diag_handlers[req->sdiag_family]; > > ... > > > > So I think clamping 'req->sdiag_family' right after the bounds check > > would be the way to go. > > > > Indeed, the clamp there would cover this clamp. I had a scheme that I > quickly fix all the gadgets in functions with local comparisons, but > clearly that's going to result in call chains with multiple clamps. > > I can fix this in a follow-up with a clamp here, or respin this patch > set, whatever is easier for David. Hi Jeremy, Just checking up on this... since this patch was merged, will you be doing a followup patch? -- Josh ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered 2018-08-13 17:16 ` Josh Poimboeuf @ 2018-08-13 19:03 ` Jeremy Cline 0 siblings, 0 replies; 9+ messages in thread From: Jeremy Cline @ 2018-08-13 19:03 UTC (permalink / raw) To: Josh Poimboeuf; +Cc: David S . Miller, netdev, linux-kernel, stable On 08/13/2018 06:16 PM, Josh Poimboeuf wrote: > On Sun, Jul 29, 2018 at 11:59:36AM -0400, Jeremy Cline wrote: >> On 07/29/2018 09:59 AM, Josh Poimboeuf wrote: >>> On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote: >>>> 'family' can be a user-controlled value, so sanitize it after the bounds >>>> check to avoid speculative out-of-bounds access. >>>> >>>> Cc: Josh Poimboeuf <jpoimboe@redhat.com> >>>> Cc: stable@vger.kernel.org >>>> Signed-off-by: Jeremy Cline <jcline@redhat.com> >>>> --- >>>> net/socket.c | 3 ++- >>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/net/socket.c b/net/socket.c >>>> index f15d5cbb3ba4..608e29ae6baf 100644 >>>> --- a/net/socket.c >>>> +++ b/net/socket.c >>>> @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister); >>>> >>>> bool sock_is_registered(int family) >>>> { >>>> - return family < NPROTO && rcu_access_pointer(net_families[family]); >>>> + return family < NPROTO && >>>> + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); >>>> } >>>> >>>> static int __init sock_init(void) >>> >>> This is another one where I think it would be better to do the nospec >>> clamp higher up the call chain. The untrusted 'family' value comes from >>> __sock_diag_cmd(): >>> >>> __sock_diag_cmd >>> sock_load_diag_module >>> sock_is_registered >>> >>> That function has a bounds check, and also uses the value in some other >>> array accesses: >>> >>> if (req->sdiag_family >= AF_MAX) >>> return -EINVAL; >>> >>> if (sock_diag_handlers[req->sdiag_family] == NULL) >>> sock_load_diag_module(req->sdiag_family, 0); >>> >>> mutex_lock(&sock_diag_table_mutex); >>> hndl = sock_diag_handlers[req->sdiag_family]; >>> ... >>> >>> So I think clamping 'req->sdiag_family' right after the bounds check >>> would be the way to go. >>> >> >> Indeed, the clamp there would cover this clamp. I had a scheme that I >> quickly fix all the gadgets in functions with local comparisons, but >> clearly that's going to result in call chains with multiple clamps. >> >> I can fix this in a follow-up with a clamp here, or respin this patch >> set, whatever is easier for David. > > Hi Jeremy, > > Just checking up on this... since this patch was merged, will you be > doing a followup patch? > Yes, apologies, I've been traveling. I'll have a patch tomorrow. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets 2018-07-27 22:43 [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets Jeremy Cline 2018-07-27 22:43 ` [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall Jeremy Cline 2018-07-27 22:43 ` [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered Jeremy Cline @ 2018-07-29 5:45 ` David Miller 2 siblings, 0 replies; 9+ messages in thread From: David Miller @ 2018-07-29 5:45 UTC (permalink / raw) To: jcline; +Cc: netdev, linux-kernel, jpoimboe From: Jeremy Cline <jcline@redhat.com> Date: Fri, 27 Jul 2018 22:43:00 +0000 > This fixes a pair of potential spectre v1 gadgets. > > Note that because the speculation window is large, the policy is to stop > the speculative out-of-bounds load and not worry if the attack can be > completed with a dependent load or store[0]. > > [0] https://marc.info/?l=linux-kernel&m=152449131114778 Series applied, thank you. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-08-13 19:03 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-07-27 22:43 [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets Jeremy Cline 2018-07-27 22:43 ` [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall Jeremy Cline 2018-07-29 13:59 ` Josh Poimboeuf 2018-07-27 22:43 ` [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered Jeremy Cline 2018-07-29 13:59 ` Josh Poimboeuf 2018-07-29 15:59 ` Jeremy Cline 2018-08-13 17:16 ` Josh Poimboeuf 2018-08-13 19:03 ` Jeremy Cline 2018-07-29 5:45 ` [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).