'protocol' is a user-controlled value, so sanitize it after the bounds
check to avoid using it for speculative out-of-bounds access to arrays
indexed by it.
This addresses the following accesses detected with the help of smatch:
* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
spectre issue 'nlk_cb_mutex_keys' [w]
* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
spectre issue 'nlk_cb_mutex_key_strings' [w]
* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
issue 'nl_table' [w] (local cap)
Cc: Josh Poimboeuf <[email protected]>
Signed-off-by: Jeremy Cline <[email protected]>
---
net/netlink/af_netlink.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 393573a99a5a..59dac45ad452 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -63,6 +63,7 @@
#include <linux/hash.h>
#include <linux/genetlink.h>
#include <linux/net_namespace.h>
+#include <linux/nospec.h>
#include <net/net_namespace.h>
#include <net/netns/generic.h>
@@ -679,6 +680,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol,
if (protocol < 0 || protocol >= MAX_LINKS)
return -EPROTONOSUPPORT;
+ protocol = array_index_nospec(protocol, MAX_LINKS);
netlink_lock_table();
#ifdef CONFIG_MODULES
--
2.17.1
On Tue, Jul 31, 2018 at 09:13:16PM +0000, Jeremy Cline wrote:
> 'protocol' is a user-controlled value, so sanitize it after the bounds
> check to avoid using it for speculative out-of-bounds access to arrays
> indexed by it.
>
> This addresses the following accesses detected with the help of smatch:
>
> * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
> spectre issue 'nlk_cb_mutex_keys' [w]
>
> * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
> spectre issue 'nlk_cb_mutex_key_strings' [w]
>
> * net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
> issue 'nl_table' [w] (local cap)
>
> Cc: Josh Poimboeuf <[email protected]>
> Signed-off-by: Jeremy Cline <[email protected]>
Reviewed-by: Josh Poimboeuf <[email protected]>
--
Josh
From: Jeremy Cline <[email protected]>
Date: Tue, 31 Jul 2018 21:13:16 +0000
> 'protocol' is a user-controlled value, so sanitize it after the bounds
> check to avoid using it for speculative out-of-bounds access to arrays
> indexed by it.
>
> This addresses the following accesses detected with the help of smatch:
>
> * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
> spectre issue 'nlk_cb_mutex_keys' [w]
>
> * net/netlink/af_netlink.c:654 __netlink_create() warn: potential
> spectre issue 'nlk_cb_mutex_key_strings' [w]
>
> * net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
> issue 'nl_table' [w] (local cap)
>
> Cc: Josh Poimboeuf <[email protected]>
> Signed-off-by: Jeremy Cline <[email protected]>
Applied and queued up for -stable, thanks.