diff options
author | Jeremy Cline <jcline@redhat.com> | 2018-07-31 21:13:16 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-08-01 09:50:58 -0700 |
commit | bc5b6c0b62b932626a135f516a41838c510c6eba (patch) | |
tree | 60b67dc5c86603034ca42c875e73f7922489a553 | |
parent | e02ee9819a03c5d6439636c8fc152b4cc1b48304 (diff) | |
download | linux-bc5b6c0b62b932626a135f516a41838c510c6eba.tar.gz linux-bc5b6c0b62b932626a135f516a41838c510c6eba.tar.bz2 linux-bc5b6c0b62b932626a135f516a41838c510c6eba.zip |
netlink: Fix spectre v1 gadget in netlink_create()
'protocol' is a user-controlled value, so sanitize it after the bounds
check to avoid using it for speculative out-of-bounds access to arrays
indexed by it.
This addresses the following accesses detected with the help of smatch:
* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
spectre issue 'nlk_cb_mutex_keys' [w]
* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
spectre issue 'nlk_cb_mutex_key_strings' [w]
* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
issue 'nl_table' [w] (local cap)
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/netlink/af_netlink.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 7d860a22e5fb..c09d16870f74 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -63,6 +63,7 @@ #include <linux/hash.h> #include <linux/genetlink.h> #include <linux/net_namespace.h> +#include <linux/nospec.h> #include <net/net_namespace.h> #include <net/netns/generic.h> @@ -679,6 +680,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol, if (protocol < 0 || protocol >= MAX_LINKS) return -EPROTONOSUPPORT; + protocol = array_index_nospec(protocol, MAX_LINKS); netlink_lock_table(); #ifdef CONFIG_MODULES |