From mboxrd@z Thu Jan 1 00:00:00 1970 From: Josh Poimboeuf Subject: Re: [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall Date: Sun, 29 Jul 2018 08:59:20 -0500 Message-ID: <20180729135920.a2zo6de4f7chszgd@treble> References: <20180727224302.5503-1-jcline@redhat.com> <20180727224302.5503-2-jcline@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Cc: "David S . Miller" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org To: Jeremy Cline Return-path: Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47446 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726324AbeG2P34 (ORCPT ); Sun, 29 Jul 2018 11:29:56 -0400 Content-Disposition: inline In-Reply-To: <20180727224302.5503-2-jcline@redhat.com> Sender: netdev-owner@vger.kernel.org List-ID: On Fri, Jul 27, 2018 at 10:43:01PM +0000, Jeremy Cline wrote: > 'call' is a user-controlled value, so sanitize the array index after the > bounds check to avoid speculating past the bounds of the 'nargs' array. > > Found with the help of Smatch: > > net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue > 'nargs' [r] (local cap) > > Cc: Josh Poimboeuf > Cc: stable@vger.kernel.org > Signed-off-by: Jeremy Cline > --- > net/socket.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/socket.c b/net/socket.c > index 3015ddace71e..f15d5cbb3ba4 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -89,6 +89,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -2504,6 +2505,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) > > if (call < 1 || call > SYS_SENDMMSG) > return -EINVAL; > + call = array_index_nospec(call, SYS_SENDMMSG + 1); > > len = nargs[call]; > if (len > sizeof(a)) Reviewed-by: Josh Poimboeuf -- Josh