Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2943625imm; Sun, 29 Jul 2018 07:00:13 -0700 (PDT) X-Google-Smtp-Source: AAOMgpf8kPOV1C1ZT6pXIe76EmpZsZmQt4LyWpB6K3qejvgVwpGntVejdFwkYxITeYy5vuCcz3sE X-Received: by 2002:a63:4386:: with SMTP id q128-v6mr12912206pga.353.1532872813208; Sun, 29 Jul 2018 07:00:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532872813; cv=none; d=google.com; s=arc-20160816; b=jR8C1Q3aLa94xw1qe8rMMTgubduOx7lTAci69hl3avoSj80XTkrPe2gnN0/tPlDAXI 94kOQf7lXfA2lhcnh2htAHwT3aHUCw7AZryIwz7A1JBZxyHgiObVo0uRuYWiVUuED47W bsFO7oIe6uKOrCGBVM7f/7VFrxACITRgG3Hhd1c9xxPfcuAZjVR6GmZgyzdAUOWlAdnJ u9UR9nAiF2n5sZH3TB5uRqudULrPWuW2VB2dd6BnpmWeTdFuLypYV6NNRmGgHEbnzGKE 9l+TQQw1EMZNs5CbVX5Vs5WVFRy133U27oi5SrSklVljmjtVm1f9JCGu890xxM1oVcio jh8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=wtEzrZAII3vrpsWZJvn0DbUQMXOI2H58Yr18QOfOlaw=; b=C1DQRluCwJupfwnMzeIJg1NuD5jigAg5m6QGP6MX7pPpr6SIWSbMWXBZH/dicq5M56 uwdWrkfM4ivVthtUcThQDQijlsoop2t04c1b4+I31d+EZLD1C43lX+tlpNngLzftN55j lUX1TJiGDOGVvNpEcfR3InmQ+FiOCo7Sp3jRD1saOPtiFqYQYM3PBRsQqz4o8rObUNz1 j5Nn5MqwUIkatXQv/55Y/J/TncJw57XsvULCtOyT1+l8f1BAv2UMF8obcoLzapJToylp LIJNMJLWjKea5vy4CHsMhaf5+XlmeO64xi5dt2k3o5J5/PaWxQww6nuKCBEtapbxvEc/ Rr+w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si665970pld.60.2018.07.29.06.59.58; Sun, 29 Jul 2018 07:00:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727844AbeG2P3m (ORCPT + 99 others); Sun, 29 Jul 2018 11:29:42 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:50188 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726324AbeG2P3m (ORCPT ); Sun, 29 Jul 2018 11:29:42 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AB2B6F2B3F; Sun, 29 Jul 2018 13:59:08 +0000 (UTC) Received: from treble (ovpn-120-73.rdu2.redhat.com [10.10.120.73]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4D3AD76CC; Sun, 29 Jul 2018 13:59:08 +0000 (UTC) Date: Sun, 29 Jul 2018 08:59:06 -0500 From: Josh Poimboeuf To: Jeremy Cline Cc: "David S . Miller" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 2/2] net: socket: Fix potential spectre v1 gadget in sock_is_registered Message-ID: <20180729135906.lgqo5ue6it3hl2da@treble> References: <20180727224302.5503-1-jcline@redhat.com> <20180727224302.5503-3-jcline@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180727224302.5503-3-jcline@redhat.com> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Sun, 29 Jul 2018 13:59:08 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Sun, 29 Jul 2018 13:59:08 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'jpoimboe@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote: > 'family' can be a user-controlled value, so sanitize it after the bounds > check to avoid speculative out-of-bounds access. > > Cc: Josh Poimboeuf > Cc: stable@vger.kernel.org > Signed-off-by: Jeremy Cline > --- > net/socket.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/socket.c b/net/socket.c > index f15d5cbb3ba4..608e29ae6baf 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister); > > bool sock_is_registered(int family) > { > - return family < NPROTO && rcu_access_pointer(net_families[family]); > + return family < NPROTO && > + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); > } > > static int __init sock_init(void) This is another one where I think it would be better to do the nospec clamp higher up the call chain. The untrusted 'family' value comes from __sock_diag_cmd(): __sock_diag_cmd sock_load_diag_module sock_is_registered That function has a bounds check, and also uses the value in some other array accesses: if (req->sdiag_family >= AF_MAX) return -EINVAL; if (sock_diag_handlers[req->sdiag_family] == NULL) sock_load_diag_module(req->sdiag_family, 0); mutex_lock(&sock_diag_table_mutex); hndl = sock_diag_handlers[req->sdiag_family]; ... So I think clamping 'req->sdiag_family' right after the bounds check would be the way to go. -- Josh