Received: by 2002:a4a:311b:0:0:0:0:0 with SMTP id k27-v6csp3644718ooa; Mon, 13 Aug 2018 15:36:08 -0700 (PDT) X-Google-Smtp-Source: AA+uWPzym0SNRNpUF+cvHecC8nfpeuhdhd2qFdemDg0HfcPGmhc9foLvxXlcjPcoBhaOTx1YL8Ls X-Received: by 2002:a17:902:2006:: with SMTP id n6-v6mr17994527pla.325.1534199768288; Mon, 13 Aug 2018 15:36:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534199768; cv=none; d=google.com; s=arc-20160816; b=ke+MvQPSbA9o6EX2Wx35ArOMJJUlfxtJe6VY30yzW1WQLfW6DK8eEDgJqiwp5uzONK uu3ekx+sy6yHCXIP4WOmMS7iAj3P51YBrGyB02ezQslWq6COC1qIcS14nCKJWwg/k6on f/HOPS2fgnoVoBSMHdHbld+yglT146dNP4QyVskxnqmQXT8Qo0qk3M2GR5j60h7DD9/w 2Q5ruRfiJ6NSZ8eJSBp/PDe5QfcaMX7nnV0Qrf0KiVajhiAbEwX3ThYu8lixGNwkoJu9 Nx3JFh1WneA185IIL2WbtviiqmUCbf5gXxc0geFxfW2IEqjIMrKk50yKx6aNBk/1RJQq I/EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=k/tjbMtyrQQvtaKEMNynh5C6DAyB4tVOvFw3Fs3pX2I=; b=fgEWlgva+ovUxPBEWALRAmff13Oq1JmnSeXawkkWF4Sp3vVvOZPhFYId+OP+dUTYMp X0sccpTrIEt3kOYyov4R1zqYDMDEbLf5WMK5ZYVVX9SxjNupc7OZSmczXOZasjouYI5F KQ34HOR/yjPpwgD7gnBeu9XtO8aiqRBoqPy2jI0Hhf4ohjNk0I6Z52cknYtm7s2TucZY 4wcbdDH8E8J9Q6wVBV6+WWy+RNLHXbbu3jnfUoFkX0ZzWDRRhTBvDIcVBzBoU902hw1S dqv189noKRWhR5H2JlDCjZEcbWNJwfmn8/VlVI0UYdaFD2ptfFhPaw+LDDzgb09ssXDx GJjA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d24-v6si14981403plr.178.2018.08.13.15.35.53; Mon, 13 Aug 2018 15:36:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732166AbeHNBHf (ORCPT + 99 others); Mon, 13 Aug 2018 21:07:35 -0400 Received: from mail-it0-f68.google.com ([209.85.214.68]:33665 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731950AbeHNBHf (ORCPT ); Mon, 13 Aug 2018 21:07:35 -0400 Received: by mail-it0-f68.google.com with SMTP id d16-v6so12858824itj.0 for ; Mon, 13 Aug 2018 15:23:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=k/tjbMtyrQQvtaKEMNynh5C6DAyB4tVOvFw3Fs3pX2I=; b=TCXPx+wEmwTKX1vMad6x/k93IDf75bzf9uHy55yhZ9IQTm+uDg+Y7fKrzb7aJPPO/W zZtsuoDNqpHajS3s01XzAgzpVU3ULNLnv6nA1SVTMA/Bylwfw0mp6EQCP8CauxO1QMdn CFPigxJyl1E4T5jLedvVlvVrp/G7h5radqeTZUgtW+qdgAMcA7x6R4hOE5cpDFkDoBOf TO6a71laln6nKsuIP886F5Xd5Nlj1pK24/waVVB+4Ix65iPNL0oh6KaDQcNmJn/8Gvjy vGKRGxIeNcbQhRdNmxsIMq134sJoL17+X9hPraMWL/fVr6wI+AJJpka13E/v4ExyfqSu t8vA== X-Gm-Message-State: AOUpUlF7g8gYJ2PCOKh/ld9lG2+EE1EL6S3Rfqd+gMoes/PjtxBPXUlp KlaULt/C4s2PcR+QzWp0OGBExw== X-Received: by 2002:a24:b701:: with SMTP id h1-v6mr12016571itf.131.1534199003772; Mon, 13 Aug 2018 15:23:23 -0700 (PDT) Received: from builder.jcline.org ([2605:a601:80ce:4700:77a5:8983:ea8b:82ec]) by smtp.gmail.com with ESMTPSA id a6-v6sm7399648ioq.73.2018.08.13.15.23.22 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 13 Aug 2018 15:23:23 -0700 (PDT) From: Jeremy Cline To: "David S . Miller" Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jeremy Cline , Josh Poimboeuf , konrad.wilk@oracle.com, jamie.iles@oracle.com, liran.alon@oracle.com, stable@vger.kernel.org Subject: [PATCH] net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() Date: Mon, 13 Aug 2018 22:23:13 +0000 Message-Id: <20180813222313.3510-1-jcline@redhat.com> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org req->sdiag_family is a user-controlled value that's used as an array index. Sanitize it after the bounds check to avoid speculative out-of-bounds array access. This also protects the sock_is_registered() call, so this removes the sanitize call there. Fixes: e978de7a6d38 ("net: socket: Fix potential spectre v1 gadget in sock_is_registered") Cc: Josh Poimboeuf Cc: konrad.wilk@oracle.com Cc: jamie.iles@oracle.com Cc: liran.alon@oracle.com Cc: stable@vger.kernel.org Signed-off-by: Jeremy Cline --- Since commit e978de7a6d38 didn't apply cleanly to v4.14, this won't either since it reverts that change. To apply cleanly there, the change to sock_is_registered() needs to be dropped. net/core/sock_diag.c | 2 ++ net/socket.c | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c index c37b5be7c5e4..3312a5849a97 100644 --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include @@ -218,6 +219,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh) if (req->sdiag_family >= AF_MAX) return -EINVAL; + req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX); if (sock_diag_handlers[req->sdiag_family] == NULL) sock_load_diag_module(req->sdiag_family, 0); diff --git a/net/socket.c b/net/socket.c index 53c907169818..391a0da49ffe 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2679,8 +2679,7 @@ EXPORT_SYMBOL(sock_unregister); bool sock_is_registered(int family) { - return family < NPROTO && - rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); + return family < NPROTO && rcu_access_pointer(net_families[family]); } static int __init sock_init(void) -- 2.17.1