req->sdiag_family is a user-controlled value that's used as an array
index. Sanitize it after the bounds check to avoid speculative
out-of-bounds array access.
This also protects the sock_is_registered() call, so this removes the
sanitize call there.
Fixes: e978de7a6d38 ("net: socket: Fix potential spectre v1 gadget in sock_is_registered")
Cc: Josh Poimboeuf <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Signed-off-by: Jeremy Cline <[email protected]>
---
Since commit e978de7a6d38 didn't apply cleanly to v4.14, this won't
either since it reverts that change. To apply cleanly there, the change
to sock_is_registered() needs to be dropped.
net/core/sock_diag.c | 2 ++
net/socket.c | 3 +--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index c37b5be7c5e4..3312a5849a97 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -10,6 +10,7 @@
#include <linux/kernel.h>
#include <linux/tcp.h>
#include <linux/workqueue.h>
+#include <linux/nospec.h>
#include <linux/inet_diag.h>
#include <linux/sock_diag.h>
@@ -218,6 +219,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
if (req->sdiag_family >= AF_MAX)
return -EINVAL;
+ req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX);
if (sock_diag_handlers[req->sdiag_family] == NULL)
sock_load_diag_module(req->sdiag_family, 0);
diff --git a/net/socket.c b/net/socket.c
index 53c907169818..391a0da49ffe 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2679,8 +2679,7 @@ EXPORT_SYMBOL(sock_unregister);
bool sock_is_registered(int family)
{
- return family < NPROTO &&
- rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
+ return family < NPROTO && rcu_access_pointer(net_families[family]);
}
static int __init sock_init(void)
--
2.17.1
From: Jeremy Cline <[email protected]>
Date: Mon, 13 Aug 2018 22:23:13 +0000
> req->sdiag_family is a user-controlled value that's used as an array
> index. Sanitize it after the bounds check to avoid speculative
> out-of-bounds array access.
>
> This also protects the sock_is_registered() call, so this removes the
> sanitize call there.
>
> Fixes: e978de7a6d38 ("net: socket: Fix potential spectre v1 gadget in sock_is_registered")
> Cc: Josh Poimboeuf <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Signed-off-by: Jeremy Cline <[email protected]>
> ---
>
> Since commit e978de7a6d38 didn't apply cleanly to v4.14, this won't
> either since it reverts that change. To apply cleanly there, the change
> to sock_is_registered() needs to be dropped.
Applied, thank you.