From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([184.105.139.130]:49024 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752126AbeBHUYb (ORCPT
        <rfc822;stable@vger.kernel.org>); Thu, 8 Feb 2018 15:24:31 -0500
Date: Thu, 08 Feb 2018 15:24:30 -0500 (EST)
Message-Id: <20180208.152430.815938637029162565.davem@davemloft.net>
To: dan.j.williams@intel.com
Cc: netdev@vger.kernel.org, ebiederm@xmission.com,
        stable@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mpls, nospec: Sanitize array index in mpls_label_ok()
From: David Miller <davem@davemloft.net>
In-Reply-To: <151807166425.3807.8813780890075479680.stgit@dwillia2-desk3.amr.corp.intel.com>
References: <151807166425.3807.8813780890075479680.stgit@dwillia2-desk3.amr.corp.intel.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Dan Williams <dan.j.williams@intel.com>
Date: Wed, 07 Feb 2018 22:34:24 -0800

> mpls_label_ok() validates that the 'platform_label' array index from a
> userspace netlink message payload is valid. Under speculation the
> mpls_label_ok() result may not resolve in the CPU pipeline until after
> the index is used to access an array element. Sanitize the index to zero
> to prevent userspace-controlled arbitrary out-of-bounds speculation, a
> precursor for a speculative execution side channel vulnerability.
> 
> Cc: <stable@vger.kernel.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>

Applied, thank you.