Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753456AbeAFOs7 (ORCPT + 1 other); Sat, 6 Jan 2018 09:48:59 -0500 Received: from mail-pl0-f66.google.com ([209.85.160.66]:39447 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753276AbeAFOs5 (ORCPT ); Sat, 6 Jan 2018 09:48:57 -0500 X-Google-Smtp-Source: ACJfBoth3MP+chrmLg9RHtzcZmlgliG9q5urBOV9WpLjeABLCGktMrKvXqBA0idmkehaDcHBCQGiHA== Date: Sat, 6 Jan 2018 06:48:52 -0800 From: Stephen Hemminger To: Dan Williams Cc: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, Hideaki YOSHIFUJI , netdev@vger.kernel.org, peterz@infradead.org, gregkh@linuxfoundation.org, Alexey Kuznetsov , tglx@linutronix.de, torvalds@linux-foundation.org, "David S. Miller" , Elena Reshetova , alan@linux.intel.com Subject: Re: [PATCH 13/18] ipv6: prevent bounds-check bypass via speculative execution Message-ID: <20180106064852.187637ad@xeon-e3> In-Reply-To: <151520106487.32271.6013001625427346680.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520106487.32271.6013001625427346680.stgit@dwillia2-desk3.amr.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Fri, 05 Jan 2018 17:11:04 -0800 Dan Williams wrote: > Static analysis reports that 'offset' may be a user controlled value > that is used as a data dependency reading from a raw6_frag_vec buffer. > In order to avoid potential leaks of kernel memory values, block > speculative execution of the instruction stream that could issue further > reads based on an invalid '*(rfv->c + offset)' value. > > Based on an original patch by Elena Reshetova. > > Cc: "David S. Miller" > Cc: Alexey Kuznetsov > Cc: Hideaki YOSHIFUJI > Cc: netdev@vger.kernel.org > Signed-off-by: Elena Reshetova > Signed-off-by: Dan Williams > --- > net/ipv6/raw.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c > index 761a473a07c5..384e3d59d148 100644 > --- a/net/ipv6/raw.c > +++ b/net/ipv6/raw.c > @@ -33,6 +33,7 @@ > #include > #include > #include > +#include > #include > > #include > @@ -725,17 +726,17 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd, > struct sk_buff *skb) > { > struct raw6_frag_vec *rfv = from; > + char *rfv_buf; > > - if (offset < rfv->hlen) { > + if ((rfv_buf = nospec_array_ptr(rfv->c, offset, rfv->hlen))) { > int copy = min(rfv->hlen - offset, len); Minor nit. Please don't do assignment in condition test here. Instead. rfv_buf = nospec_array_ptr(rfv->c, offset, rfv->hlen); if (rfv_buf) {