| Message ID | 20230120130249.3507411-1-edumazet@google.com (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr() | expand |
On 1/20/23 13:02, Eric Dumazet wrote: > int type = nla_type(nla); > > if (type > XFRMA_MAX) { > return -EOPNOTSUPP; > } > > @type is then used as an array index and can be used > as a Spectre v1 gadget. > > if (nla_len(nla) < compat_policy[type].len) { > > array_index_nospec() can be used to prevent leaking > content of kernel memory to malicious users. > > Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator") > Signed-off-by: Eric Dumazet <edumazet@google.com> > Cc: Dmitry Safonov <dima@arista.com> > Cc: Steffen Klassert <steffen.klassert@secunet.com> Reviewed-by: Dmitry Safonov <dima@arista.com> Thanks, Eric! > --- > net/xfrm/xfrm_compat.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c > index a0f62fa02e06e0aa97901aaf226dc84895f6a8ec..46bb239e4f06d56abbf3deecd89ac26625efb560 100644 > --- a/net/xfrm/xfrm_compat.c > +++ b/net/xfrm/xfrm_compat.c > @@ -5,6 +5,7 @@ > * Based on code and translator idea by: Florian Westphal <fw@strlen.de> > */ > #include <linux/compat.h> > +#include <linux/nospec.h> > #include <linux/xfrm.h> > #include <net/xfrm.h> > > @@ -437,6 +438,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla, > NL_SET_ERR_MSG(extack, "Bad attribute"); > return -EOPNOTSUPP; > } > + type = array_index_nospec(type, XFRMA_MAX + 1); > if (nla_len(nla) < compat_policy[type].len) { > NL_SET_ERR_MSG(extack, "Attribute bad length"); > return -EOPNOTSUPP;
On Fri, Jan 20, 2023 at 01:02:49PM +0000, Eric Dumazet wrote: > int type = nla_type(nla); > > if (type > XFRMA_MAX) { > return -EOPNOTSUPP; > } > > @type is then used as an array index and can be used > as a Spectre v1 gadget. > > if (nla_len(nla) < compat_policy[type].len) { > > array_index_nospec() can be used to prevent leaking > content of kernel memory to malicious users. > > Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator") > Signed-off-by: Eric Dumazet <edumazet@google.com> > Cc: Dmitry Safonov <dima@arista.com> > Cc: Steffen Klassert <steffen.klassert@secunet.com> Applied to the ipsec tree, thanks a lot Eric!
diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c index a0f62fa02e06e0aa97901aaf226dc84895f6a8ec..46bb239e4f06d56abbf3deecd89ac26625efb560 100644 --- a/net/xfrm/xfrm_compat.c +++ b/net/xfrm/xfrm_compat.c @@ -5,6 +5,7 @@ * Based on code and translator idea by: Florian Westphal <fw@strlen.de> */ #include <linux/compat.h> +#include <linux/nospec.h> #include <linux/xfrm.h> #include <net/xfrm.h> @@ -437,6 +438,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla, NL_SET_ERR_MSG(extack, "Bad attribute"); return -EOPNOTSUPP; } + type = array_index_nospec(type, XFRMA_MAX + 1); if (nla_len(nla) < compat_policy[type].len) { NL_SET_ERR_MSG(extack, "Attribute bad length"); return -EOPNOTSUPP;
int type = nla_type(nla); if (type > XFRMA_MAX) { return -EOPNOTSUPP; } @type is then used as an array index and can be used as a Spectre v1 gadget. if (nla_len(nla) < compat_policy[type].len) { array_index_nospec() can be used to prevent leaking content of kernel memory to malicious users. Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Dmitry Safonov <dima@arista.com> Cc: Steffen Klassert <steffen.klassert@secunet.com> --- net/xfrm/xfrm_compat.c | 2 ++ 1 file changed, 2 insertions(+)