Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3643766imm; Mon, 18 Jun 2018 01:26:11 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJHNMIoJhjNovAR0W8NIjHCZb3J3AQBI0Ftlo9CzKt+wybAX6qc0pvMCDkNzyCpi4BxiKa2 X-Received: by 2002:a63:931c:: with SMTP id b28-v6mr10260482pge.167.1529310371531; Mon, 18 Jun 2018 01:26:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529310371; cv=none; d=google.com; s=arc-20160816; b=LzCBDqtvhWbKmg3tlz3a8ZnAVamZ8vo8wPRXgfaeHrKotFQJlj50Vs91TE+lXbbqWa VMFkY/UEfAHNTb4sPddPVecqQk8zCS2hCXu2xkK8RtKS4Ju8V142HCjGM10eTHz7BbYR aNH7605qQj5WmHMYgYQ1o5EC5x7DlzPIylnRDWnAVNOe1OlCKym0kPWUiZqWsa/7KE2w cF6Er5VDx+I6VZ5to5OaSJ8ZOxEU/UFy/5WJT23wb+anfOrk4Tx+3ndfWaueAKstH8wC aeh4sefPqAdM+cgNfhw6qkSxICYwvhS+EJ75mL3ktNoGpdQ93NXBbFGJ4fgm+DSy7IeK 1T2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=BTYUTXY8gP3h1OL90NhbO101VSXMC74PIvUMQsQEKiM=; b=QIgePMIJPXjJ2qIMP+f9dFYCS6VBAjxkz9YleEmLzrSBk3a+XNBe8n1b9dIRT5TITn sM3Zoblq7l3qLqtxuQnVpAjc5GbRwFgYVxjCsRCZwnTJScUXFPrWmVg9js1iKjB3vAHc jJBNryWJR8+sB+dHDNcztiWhHXrZk4XG4u50BwkKswJ21A8XScRfGUekZhNqwuVGtr84 xjok1XRQ9xVmLhiIq5CYLnWc+IxzhgIQIF7sQXVfZ+QGMi2oiaitVpuqKk/ZKLpgSfD7 XZCPC3S2K9dCtiqCl+EguONAT96JbU2UCo4zU63c/H0Tl3wbxnyuJF7wyak3AogNp9v3 ZOTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 34-v6si14115972plc.346.2018.06.18.01.25.57; Mon, 18 Jun 2018 01:26:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965783AbeFRIZX (ORCPT + 99 others); Mon, 18 Jun 2018 04:25:23 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:56226 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932336AbeFRIZP (ORCPT ); Mon, 18 Jun 2018 04:25:15 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 461C7C5C; Mon, 18 Jun 2018 08:25:14 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mark Rutland , Alexei Starovoitov , Dan Carpenter , Daniel Borkmann , Peter Zijlstra , netdev@vger.kernel.org, "David S. Miller" , Sasha Levin Subject: [PATCH 4.16 179/279] bpf: fix possible spectre-v1 in find_and_alloc_map() Date: Mon, 18 Jun 2018 10:12:44 +0200 Message-Id: <20180618080616.349022432@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180618080608.851973560@linuxfoundation.org> References: <20180618080608.851973560@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mark Rutland [ Upstream commit 9ef09e35e521bf0df5325cc9cffa726a8f5f3c1b ] It's possible for userspace to control attr->map_type. Sanitize it when using it as an array index to prevent an out-of-bounds value being used under speculation. Found by smatch. Signed-off-by: Mark Rutland Cc: Alexei Starovoitov Cc: Dan Carpenter Cc: Daniel Borkmann Cc: Peter Zijlstra Cc: netdev@vger.kernel.org Acked-by: David S. Miller Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/syscall.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -26,6 +26,7 @@ #include #include #include +#include #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY || \ (map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \ @@ -102,12 +103,14 @@ const struct bpf_map_ops bpf_map_offload static struct bpf_map *find_and_alloc_map(union bpf_attr *attr) { const struct bpf_map_ops *ops; + u32 type = attr->map_type; struct bpf_map *map; int err; - if (attr->map_type >= ARRAY_SIZE(bpf_map_types)) + if (type >= ARRAY_SIZE(bpf_map_types)) return ERR_PTR(-EINVAL); - ops = bpf_map_types[attr->map_type]; + type = array_index_nospec(type, ARRAY_SIZE(bpf_map_types)); + ops = bpf_map_types[type]; if (!ops) return ERR_PTR(-EINVAL); @@ -122,7 +125,7 @@ static struct bpf_map *find_and_alloc_ma if (IS_ERR(map)) return map; map->ops = ops; - map->map_type = attr->map_type; + map->map_type = type; return map; }