Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2945763imm; Sun, 29 Jul 2018 07:01:50 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcKy3yV1fjXH8bySOeSTfp1vKWyILY9KxVki5iFIh2MWj6nK1UWZxBjbvNoZ/yaVx6o9/EU X-Received: by 2002:a63:4d06:: with SMTP id a6-v6mr12748421pgb.408.1532872910546; Sun, 29 Jul 2018 07:01:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532872910; cv=none; d=google.com; s=arc-20160816; b=NsxUN7fLpxxAerR93L6PRP0UrB7Z2/HbYEaaozY1H6Q2aSNEWFuGyY2vWIs39xt30d PgXL/kXnlzjMpnFIeiBIbX2d4uv8Hr63EnWpYz7mYx9wE0SLeEIAqLxCkBIZEOUuWAun ZldRd84XbmeM3zXwMj6Lcms/eKBvhj+dHQhLP5zcbhbHDSLmjnpigoghceNBC2VWyN+P q6C7pljluMIG6OJyU7deO6xq6ec9zNmSqwJMPZainexjPitRpZGyFc4jjC8d6mMmXyCW SIDPCrmEIK0s52ePWzN6D5yCGO4gCj4hFBpGuPQtpZqxarM+QunFpYJLA8fcwrk86GaZ clmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=7lqm5Z1FBrdoF3BYT+CjUb/Ri5e7+a9ZZptVVF3E6rI=; b=ioDgM3kB5PG7Ehsy6mW/m/3wwIlUdtjTBJ8WMRY9XCcHDCbJNRA8XAP4LAvq4+1pos rtB6Ld+pg/tdHZ3I53PcleKRNEep+B6H+Uznoh+Hg8z83rzCDJjdTnoxqcvwWPAUboSY p0xbe+IMFqwyZpuoXasbtOGLOJM9rklOKnBckIYQE83axxdFnFYXoSwujDrfe8g73t8d XjywsXYv5BsQihes7uTGse9+RnUhCwBFE81oV1h+M2LJHhEo+kXMHhigAYtNllLlBsiT K2ZCWvcgdiqFTlwJprSCWlmQ19ItIMwUb3eP7E2xwxdK/IEmiwbMxLGOqkcAM0RuG5ls 4TlA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q27-v6si8506952pfj.149.2018.07.29.07.01.35; Sun, 29 Jul 2018 07:01:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728637AbeG2P34 (ORCPT + 99 others); Sun, 29 Jul 2018 11:29:56 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47446 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726324AbeG2P34 (ORCPT ); Sun, 29 Jul 2018 11:29:56 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5D8EE40216FD; Sun, 29 Jul 2018 13:59:22 +0000 (UTC) Received: from treble (ovpn-120-73.rdu2.redhat.com [10.10.120.73]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 02DCC2166BA2; Sun, 29 Jul 2018 13:59:21 +0000 (UTC) Date: Sun, 29 Jul 2018 08:59:20 -0500 From: Josh Poimboeuf To: Jeremy Cline Cc: "David S . Miller" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/2] net: socket: fix potential spectre v1 gadget in socketcall Message-ID: <20180729135920.a2zo6de4f7chszgd@treble> References: <20180727224302.5503-1-jcline@redhat.com> <20180727224302.5503-2-jcline@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180727224302.5503-2-jcline@redhat.com> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Sun, 29 Jul 2018 13:59:22 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Sun, 29 Jul 2018 13:59:22 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'jpoimboe@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 27, 2018 at 10:43:01PM +0000, Jeremy Cline wrote: > 'call' is a user-controlled value, so sanitize the array index after the > bounds check to avoid speculating past the bounds of the 'nargs' array. > > Found with the help of Smatch: > > net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue > 'nargs' [r] (local cap) > > Cc: Josh Poimboeuf > Cc: stable@vger.kernel.org > Signed-off-by: Jeremy Cline > --- > net/socket.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/socket.c b/net/socket.c > index 3015ddace71e..f15d5cbb3ba4 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -89,6 +89,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -2504,6 +2505,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) > > if (call < 1 || call > SYS_SENDMMSG) > return -EINVAL; > + call = array_index_nospec(call, SYS_SENDMMSG + 1); > > len = nargs[call]; > if (len > sizeof(a)) Reviewed-by: Josh Poimboeuf -- Josh