Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2945763imm;
        Sun, 29 Jul 2018 07:01:50 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpcKy3yV1fjXH8bySOeSTfp1vKWyILY9KxVki5iFIh2MWj6nK1UWZxBjbvNoZ/yaVx6o9/EU
X-Received: by 2002:a63:4d06:: with SMTP id a6-v6mr12748421pgb.408.1532872910546;
        Sun, 29 Jul 2018 07:01:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532872910; cv=none;
        d=google.com; s=arc-20160816;
        b=NsxUN7fLpxxAerR93L6PRP0UrB7Z2/HbYEaaozY1H6Q2aSNEWFuGyY2vWIs39xt30d
         PgXL/kXnlzjMpnFIeiBIbX2d4uv8Hr63EnWpYz7mYx9wE0SLeEIAqLxCkBIZEOUuWAun
         ZldRd84XbmeM3zXwMj6Lcms/eKBvhj+dHQhLP5zcbhbHDSLmjnpigoghceNBC2VWyN+P
         q6C7pljluMIG6OJyU7deO6xq6ec9zNmSqwJMPZainexjPitRpZGyFc4jjC8d6mMmXyCW
         SIDPCrmEIK0s52ePWzN6D5yCGO4gCj4hFBpGuPQtpZqxarM+QunFpYJLA8fcwrk86GaZ
         clmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=7lqm5Z1FBrdoF3BYT+CjUb/Ri5e7+a9ZZptVVF3E6rI=;
        b=ioDgM3kB5PG7Ehsy6mW/m/3wwIlUdtjTBJ8WMRY9XCcHDCbJNRA8XAP4LAvq4+1pos
         rtB6Ld+pg/tdHZ3I53PcleKRNEep+B6H+Uznoh+Hg8z83rzCDJjdTnoxqcvwWPAUboSY
         p0xbe+IMFqwyZpuoXasbtOGLOJM9rklOKnBckIYQE83axxdFnFYXoSwujDrfe8g73t8d
         XjywsXYv5BsQihes7uTGse9+RnUhCwBFE81oV1h+M2LJHhEo+kXMHhigAYtNllLlBsiT
         K2ZCWvcgdiqFTlwJprSCWlmQ19ItIMwUb3eP7E2xwxdK/IEmiwbMxLGOqkcAM0RuG5ls
         4TlA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q27-v6si8506952pfj.149.2018.07.29.07.01.35;
        Sun, 29 Jul 2018 07:01:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728637AbeG2P34 (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Sun, 29 Jul 2018 11:29:56 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47446 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726324AbeG2P34 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 29 Jul 2018 11:29:56 -0400
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 5D8EE40216FD;
        Sun, 29 Jul 2018 13:59:22 +0000 (UTC)
Received: from treble (ovpn-120-73.rdu2.redhat.com [10.10.120.73])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 02DCC2166BA2;
        Sun, 29 Jul 2018 13:59:21 +0000 (UTC)
Date:   Sun, 29 Jul 2018 08:59:20 -0500
From:   Josh Poimboeuf <jpoimboe@redhat.com>
To:     Jeremy Cline <jcline@redhat.com>
Cc:     "David S . Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH 1/2] net: socket: fix potential spectre v1 gadget in
 socketcall
Message-ID: <20180729135920.a2zo6de4f7chszgd@treble>
References: <20180727224302.5503-1-jcline@redhat.com>
 <20180727224302.5503-2-jcline@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180727224302.5503-2-jcline@redhat.com>
User-Agent: NeoMutt/20180716
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Sun, 29 Jul 2018 13:59:22 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Sun, 29 Jul 2018 13:59:22 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'jpoimboe@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jul 27, 2018 at 10:43:01PM +0000, Jeremy Cline wrote:
> 'call' is a user-controlled value, so sanitize the array index after the
> bounds check to avoid speculating past the bounds of the 'nargs' array.
> 
> Found with the help of Smatch:
> 
> net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
> 'nargs' [r] (local cap)
> 
> Cc: Josh Poimboeuf <jpoimboe@redhat.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Jeremy Cline <jcline@redhat.com>
> ---
>  net/socket.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/socket.c b/net/socket.c
> index 3015ddace71e..f15d5cbb3ba4 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -89,6 +89,7 @@
>  #include <linux/magic.h>
>  #include <linux/slab.h>
>  #include <linux/xattr.h>
> +#include <linux/nospec.h>
>  
>  #include <linux/uaccess.h>
>  #include <asm/unistd.h>
> @@ -2504,6 +2505,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
>  
>  	if (call < 1 || call > SYS_SENDMMSG)
>  		return -EINVAL;
> +	call = array_index_nospec(call, SYS_SENDMMSG + 1);
>  
>  	len = nargs[call];
>  	if (len > sizeof(a))

Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>

-- 
Josh