2018-07-27 22:46:08

by Jeremy Cline

[permalink] [raw]
Subject: [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets

Hi folks,

This fixes a pair of potential spectre v1 gadgets.

Note that because the speculation window is large, the policy is to stop
the speculative out-of-bounds load and not worry if the attack can be
completed with a dependent load or store[0].

[0] https://marc.info/?l=linux-kernel&m=152449131114778

Jeremy Cline (2):
net: socket: fix potential spectre v1 gadget in socketcall
net: socket: Fix potential spectre v1 gadget in sock_is_registered

net/socket.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--
2.17.1



2018-07-27 22:45:14

by Jeremy Cline

[permalink] [raw]
Subject: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered

'family' can be a user-controlled value, so sanitize it after the bounds
check to avoid speculative out-of-bounds access.

Cc: Josh Poimboeuf <[email protected]>
Cc: [email protected]
Signed-off-by: Jeremy Cline <[email protected]>
---
net/socket.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/socket.c b/net/socket.c
index f15d5cbb3ba4..608e29ae6baf 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister);

bool sock_is_registered(int family)
{
- return family < NPROTO && rcu_access_pointer(net_families[family]);
+ return family < NPROTO &&
+ rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
}

static int __init sock_init(void)
--
2.17.1


2018-07-27 22:45:25

by Jeremy Cline

[permalink] [raw]
Subject: [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall

'call' is a user-controlled value, so sanitize the array index after the
bounds check to avoid speculating past the bounds of the 'nargs' array.

Found with the help of Smatch:

net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
'nargs' [r] (local cap)

Cc: Josh Poimboeuf <[email protected]>
Cc: [email protected]
Signed-off-by: Jeremy Cline <[email protected]>
---
net/socket.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/socket.c b/net/socket.c
index 3015ddace71e..f15d5cbb3ba4 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -89,6 +89,7 @@
#include <linux/magic.h>
#include <linux/slab.h>
#include <linux/xattr.h>
+#include <linux/nospec.h>

#include <linux/uaccess.h>
#include <asm/unistd.h>
@@ -2504,6 +2505,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)

if (call < 1 || call > SYS_SENDMMSG)
return -EINVAL;
+ call = array_index_nospec(call, SYS_SENDMMSG + 1);

len = nargs[call];
if (len > sizeof(a))
--
2.17.1


2018-07-29 05:46:06

by David Miller

[permalink] [raw]
Subject: Re: [PATCH 0/2] net: socket: Fix potential spectre v1 gadgets

From: Jeremy Cline <[email protected]>
Date: Fri, 27 Jul 2018 22:43:00 +0000

> This fixes a pair of potential spectre v1 gadgets.
>
> Note that because the speculation window is large, the policy is to stop
> the speculative out-of-bounds load and not worry if the attack can be
> completed with a dependent load or store[0].
>
> [0] https://marc.info/?l=linux-kernel&m=152449131114778

Series applied, thank you.

2018-07-29 14:00:13

by Josh Poimboeuf

[permalink] [raw]
Subject: Re: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered

On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote:
> 'family' can be a user-controlled value, so sanitize it after the bounds
> check to avoid speculative out-of-bounds access.
>
> Cc: Josh Poimboeuf <[email protected]>
> Cc: [email protected]
> Signed-off-by: Jeremy Cline <[email protected]>
> ---
> net/socket.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/socket.c b/net/socket.c
> index f15d5cbb3ba4..608e29ae6baf 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister);
>
> bool sock_is_registered(int family)
> {
> - return family < NPROTO && rcu_access_pointer(net_families[family]);
> + return family < NPROTO &&
> + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
> }
>
> static int __init sock_init(void)

This is another one where I think it would be better to do the nospec
clamp higher up the call chain. The untrusted 'family' value comes from
__sock_diag_cmd():

__sock_diag_cmd
sock_load_diag_module
sock_is_registered

That function has a bounds check, and also uses the value in some other
array accesses:

if (req->sdiag_family >= AF_MAX)
return -EINVAL;

if (sock_diag_handlers[req->sdiag_family] == NULL)
sock_load_diag_module(req->sdiag_family, 0);

mutex_lock(&sock_diag_table_mutex);
hndl = sock_diag_handlers[req->sdiag_family];
...

So I think clamping 'req->sdiag_family' right after the bounds check
would be the way to go.

--
Josh

2018-07-29 14:01:50

by Josh Poimboeuf

[permalink] [raw]
Subject: Re: [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall

On Fri, Jul 27, 2018 at 10:43:01PM +0000, Jeremy Cline wrote:
> 'call' is a user-controlled value, so sanitize the array index after the
> bounds check to avoid speculating past the bounds of the 'nargs' array.
>
> Found with the help of Smatch:
>
> net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
> 'nargs' [r] (local cap)
>
> Cc: Josh Poimboeuf <[email protected]>
> Cc: [email protected]
> Signed-off-by: Jeremy Cline <[email protected]>
> ---
> net/socket.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/socket.c b/net/socket.c
> index 3015ddace71e..f15d5cbb3ba4 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -89,6 +89,7 @@
> #include <linux/magic.h>
> #include <linux/slab.h>
> #include <linux/xattr.h>
> +#include <linux/nospec.h>
>
> #include <linux/uaccess.h>
> #include <asm/unistd.h>
> @@ -2504,6 +2505,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
>
> if (call < 1 || call > SYS_SENDMMSG)
> return -EINVAL;
> + call = array_index_nospec(call, SYS_SENDMMSG + 1);
>
> len = nargs[call];
> if (len > sizeof(a))

Reviewed-by: Josh Poimboeuf <[email protected]>

--
Josh

2018-07-29 16:00:48

by Jeremy Cline

[permalink] [raw]
Subject: Re: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered

On 07/29/2018 09:59 AM, Josh Poimboeuf wrote:
> On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote:
>> 'family' can be a user-controlled value, so sanitize it after the bounds
>> check to avoid speculative out-of-bounds access.
>>
>> Cc: Josh Poimboeuf <[email protected]>
>> Cc: [email protected]
>> Signed-off-by: Jeremy Cline <[email protected]>
>> ---
>> net/socket.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/socket.c b/net/socket.c
>> index f15d5cbb3ba4..608e29ae6baf 100644
>> --- a/net/socket.c
>> +++ b/net/socket.c
>> @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister);
>>
>> bool sock_is_registered(int family)
>> {
>> - return family < NPROTO && rcu_access_pointer(net_families[family]);
>> + return family < NPROTO &&
>> + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
>> }
>>
>> static int __init sock_init(void)
>
> This is another one where I think it would be better to do the nospec
> clamp higher up the call chain. The untrusted 'family' value comes from
> __sock_diag_cmd():
>
> __sock_diag_cmd
> sock_load_diag_module
> sock_is_registered
>
> That function has a bounds check, and also uses the value in some other
> array accesses:
>
> if (req->sdiag_family >= AF_MAX)
> return -EINVAL;
>
> if (sock_diag_handlers[req->sdiag_family] == NULL)
> sock_load_diag_module(req->sdiag_family, 0);
>
> mutex_lock(&sock_diag_table_mutex);
> hndl = sock_diag_handlers[req->sdiag_family];
> ...
>
> So I think clamping 'req->sdiag_family' right after the bounds check
> would be the way to go.
>

Indeed, the clamp there would cover this clamp. I had a scheme that I
quickly fix all the gadgets in functions with local comparisons, but
clearly that's going to result in call chains with multiple clamps.

I can fix this in a follow-up with a clamp here, or respin this patch
set, whatever is easier for David.

Thanks for the review!

2018-08-13 17:57:50

by Josh Poimboeuf

[permalink] [raw]
Subject: Re: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered

On Sun, Jul 29, 2018 at 11:59:36AM -0400, Jeremy Cline wrote:
> On 07/29/2018 09:59 AM, Josh Poimboeuf wrote:
> > On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote:
> >> 'family' can be a user-controlled value, so sanitize it after the bounds
> >> check to avoid speculative out-of-bounds access.
> >>
> >> Cc: Josh Poimboeuf <[email protected]>
> >> Cc: [email protected]
> >> Signed-off-by: Jeremy Cline <[email protected]>
> >> ---
> >> net/socket.c | 3 ++-
> >> 1 file changed, 2 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/net/socket.c b/net/socket.c
> >> index f15d5cbb3ba4..608e29ae6baf 100644
> >> --- a/net/socket.c
> >> +++ b/net/socket.c
> >> @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister);
> >>
> >> bool sock_is_registered(int family)
> >> {
> >> - return family < NPROTO && rcu_access_pointer(net_families[family]);
> >> + return family < NPROTO &&
> >> + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
> >> }
> >>
> >> static int __init sock_init(void)
> >
> > This is another one where I think it would be better to do the nospec
> > clamp higher up the call chain. The untrusted 'family' value comes from
> > __sock_diag_cmd():
> >
> > __sock_diag_cmd
> > sock_load_diag_module
> > sock_is_registered
> >
> > That function has a bounds check, and also uses the value in some other
> > array accesses:
> >
> > if (req->sdiag_family >= AF_MAX)
> > return -EINVAL;
> >
> > if (sock_diag_handlers[req->sdiag_family] == NULL)
> > sock_load_diag_module(req->sdiag_family, 0);
> >
> > mutex_lock(&sock_diag_table_mutex);
> > hndl = sock_diag_handlers[req->sdiag_family];
> > ...
> >
> > So I think clamping 'req->sdiag_family' right after the bounds check
> > would be the way to go.
> >
>
> Indeed, the clamp there would cover this clamp. I had a scheme that I
> quickly fix all the gadgets in functions with local comparisons, but
> clearly that's going to result in call chains with multiple clamps.
>
> I can fix this in a follow-up with a clamp here, or respin this patch
> set, whatever is easier for David.

Hi Jeremy,

Just checking up on this... since this patch was merged, will you be
doing a followup patch?

--
Josh

2018-08-13 19:07:07

by Jeremy Cline

[permalink] [raw]
Subject: Re: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered

On 08/13/2018 06:16 PM, Josh Poimboeuf wrote:
> On Sun, Jul 29, 2018 at 11:59:36AM -0400, Jeremy Cline wrote:
>> On 07/29/2018 09:59 AM, Josh Poimboeuf wrote:
>>> On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote:
>>>> 'family' can be a user-controlled value, so sanitize it after the bounds
>>>> check to avoid speculative out-of-bounds access.
>>>>
>>>> Cc: Josh Poimboeuf <[email protected]>
>>>> Cc: [email protected]
>>>> Signed-off-by: Jeremy Cline <[email protected]>
>>>> ---
>>>> net/socket.c | 3 ++-
>>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/net/socket.c b/net/socket.c
>>>> index f15d5cbb3ba4..608e29ae6baf 100644
>>>> --- a/net/socket.c
>>>> +++ b/net/socket.c
>>>> @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister);
>>>>
>>>> bool sock_is_registered(int family)
>>>> {
>>>> - return family < NPROTO && rcu_access_pointer(net_families[family]);
>>>> + return family < NPROTO &&
>>>> + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
>>>> }
>>>>
>>>> static int __init sock_init(void)
>>>
>>> This is another one where I think it would be better to do the nospec
>>> clamp higher up the call chain. The untrusted 'family' value comes from
>>> __sock_diag_cmd():
>>>
>>> __sock_diag_cmd
>>> sock_load_diag_module
>>> sock_is_registered
>>>
>>> That function has a bounds check, and also uses the value in some other
>>> array accesses:
>>>
>>> if (req->sdiag_family >= AF_MAX)
>>> return -EINVAL;
>>>
>>> if (sock_diag_handlers[req->sdiag_family] == NULL)
>>> sock_load_diag_module(req->sdiag_family, 0);
>>>
>>> mutex_lock(&sock_diag_table_mutex);
>>> hndl = sock_diag_handlers[req->sdiag_family];
>>> ...
>>>
>>> So I think clamping 'req->sdiag_family' right after the bounds check
>>> would be the way to go.
>>>
>>
>> Indeed, the clamp there would cover this clamp. I had a scheme that I
>> quickly fix all the gadgets in functions with local comparisons, but
>> clearly that's going to result in call chains with multiple clamps.
>>
>> I can fix this in a follow-up with a clamp here, or respin this patch
>> set, whatever is easier for David.
>
> Hi Jeremy,
>
> Just checking up on this... since this patch was merged, will you be
> doing a followup patch?
>

Yes, apologies, I've been traveling. I'll have a patch tomorrow.