diff options
| author | Dan Williams <dan.j.williams@intel.com> | 2018-03-08 18:39:24 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-03-11 16:19:47 +0100 |
| commit | e7f17d033e58acce9df40bc44ed804720417ca2e (patch) | |
| tree | 47a11e8091e8790b1f852586d4a66f190333528d /crypto | |
| parent | 4bd01ca7633432694cab0a098dfb9cee7b157512 (diff) | |
| download | linux-stable-e7f17d033e58acce9df40bc44ed804720417ca2e.tar.gz linux-stable-e7f17d033e58acce9df40bc44ed804720417ca2e.tar.bz2 linux-stable-e7f17d033e58acce9df40bc44ed804720417ca2e.zip | |
mpls, nospec: Sanitize array index in mpls_label_ok()
commit 3968523f855050b8195134da951b87c20bd66130 upstream.
mpls_label_ok() validates that the 'platform_label' array index from a
userspace netlink message payload is valid. Under speculation the
mpls_label_ok() result may not resolve in the CPU pipeline until after
the index is used to access an array element. Sanitize the index to zero
to prevent userspace-controlled arbitrary out-of-bounds speculation, a
precursor for a speculative execution side channel vulnerability.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 4.4:
- mpls_label_ok() doesn't take an extack parameter
- Drop change in mpls_getroute()]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'crypto')
0 files changed, 0 insertions, 0 deletions