From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Josh Poimboeuf <jpoimboe@redhat.com>,
konrad.wilk@oracle.com, jamie.iles@oracle.com,
liran.alon@oracle.com, Jeremy Cline <jcline@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.18 29/35] net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd()
Date: Tue, 21 Aug 2018 08:20:55 +0200 [thread overview]
Message-ID: <20180821055021.233249273@linuxfoundation.org> (raw)
In-Reply-To: <20180821055019.954904905@linuxfoundation.org>
4.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Cline <jcline@redhat.com>
[ Upstream commit 66b51b0a0341fd42ce657739bdae0561b0410a85 ]
req->sdiag_family is a user-controlled value that's used as an array
index. Sanitize it after the bounds check to avoid speculative
out-of-bounds array access.
This also protects the sock_is_registered() call, so this removes the
sanitize call there.
Fixes: e978de7a6d38 ("net: socket: Fix potential spectre v1 gadget in sock_is_registered")
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: konrad.wilk@oracle.com
Cc: jamie.iles@oracle.com
Cc: liran.alon@oracle.com
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/sock_diag.c | 2 ++
net/socket.c | 3 +--
2 files changed, 3 insertions(+), 2 deletions(-)
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -10,6 +10,7 @@
#include <linux/kernel.h>
#include <linux/tcp.h>
#include <linux/workqueue.h>
+#include <linux/nospec.h>
#include <linux/inet_diag.h>
#include <linux/sock_diag.h>
@@ -218,6 +219,7 @@ static int __sock_diag_cmd(struct sk_buf
if (req->sdiag_family >= AF_MAX)
return -EINVAL;
+ req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX);
if (sock_diag_handlers[req->sdiag_family] == NULL)
sock_load_diag_module(req->sdiag_family, 0);
--- a/net/socket.c
+++ b/net/socket.c
@@ -2690,8 +2690,7 @@ EXPORT_SYMBOL(sock_unregister);
bool sock_is_registered(int family)
{
- return family < NPROTO &&
- rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
+ return family < NPROTO && rcu_access_pointer(net_families[family]);
}
static int __init sock_init(void)
next prev parent reply other threads:[~2018-08-21 6:20 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-21 6:20 [PATCH 4.18 00/35] 4.18.4-stable review Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 01/35] l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 02/35] net_sched: fix NULL pointer dereference when delete tcindex filter Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 03/35] net_sched: Fix missing res info when create new tc_index filter Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 04/35] r8169: dont use MSI-X on RTL8168g Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 05/35] ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 06/35] ALSA: hda - Turn CX8200 into D3 as well upon reboot Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 07/35] ALSA: vx222: Fix invalid endian conversions Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 08/35] ALSA: virmidi: Fix too long output trigger loop Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 09/35] ALSA: cs5535audio: Fix invalid endian conversion Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 10/35] ALSA: dice: fix wrong copy to rx parameters for Alesis iO26 Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 11/35] ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 12/35] ALSA: memalloc: Dont exceed over the requested size Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 13/35] ALSA: vxpocket: Fix invalid endian conversions Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 14/35] ALSA: seq: Fix poll() error return Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 16/35] USB: serial: sierra: fix potential deadlock at close Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 17/35] USB: serial: pl2303: add a new device id for ATEN Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 18/35] USB: option: add support for DW5821e Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 19/35] ACPI / PM: save NVS memory for ASUS 1025C laptop Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 20/35] tty: serial: 8250: Revert NXP SC16C2552 workaround Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 21/35] serial: 8250_exar: Read INT0 from slave device, too Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 22/35] serial: 8250_dw: always set baud rate in dw8250_set_termios Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 23/35] serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 24/35] uio: fix wrong return value from uio_mmap() Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 25/35] misc: sram: fix resource leaks in probe error path Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 26/35] Revert "uio: use request_threaded_irq instead" Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 27/35] Bluetooth: avoid killing an already killed socket Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 28/35] isdn: Disable IIOCDBGVAR Greg Kroah-Hartman
2018-08-21 6:20 ` Greg Kroah-Hartman [this message]
2018-08-21 6:20 ` [PATCH 4.18 30/35] hv/netvsc: Fix NULL dereference at single queue mode fallback Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 31/35] r8169: dont use MSI-X on RTL8106e Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 32/35] ip_vti: fix a null pointer deferrence when create vti fallback tunnel Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 33/35] net: ethernet: mvneta: Fix napi structure mixup on armada 3700 Greg Kroah-Hartman
2018-08-21 6:21 ` [PATCH 4.18 34/35] net: mvneta: fix mvneta_config_rss " Greg Kroah-Hartman
2018-08-21 6:21 ` [PATCH 4.18 35/35] cls_matchall: fix tcf_unbind_filter missing Greg Kroah-Hartman
2018-08-21 14:59 ` [PATCH 4.18 00/35] 4.18.4-stable review Guenter Roeck
2018-08-21 20:02 ` Greg Kroah-Hartman
2018-08-21 18:03 ` Naresh Kamboju
2018-08-21 20:03 ` Greg Kroah-Hartman
2018-08-21 19:43 ` Shuah Khan
2018-08-21 20:03 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180821055021.233249273@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jamie.iles@oracle.com \
--cc=jcline@redhat.com \
--cc=jpoimboe@redhat.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=liran.alon@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).