diff options
| author |   David S. Miller <davem@davemloft.net> | 2018-07-28 22:43:31 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-07-28 22:43:31 -0700 |
| commit | 6d27c6dd1012e7be748ec05da78556319718fbe7 (patch) | |
| tree | 2d9f35288b60c467f18e5e81891c0a198a8adad3 | |
| parent | Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf (diff) | |
| parent | net: socket: Fix potential spectre v1 gadget in sock_is_registered (diff) | |
| download | linux-dev-6d27c6dd1012e7be748ec05da78556319718fbe7.tar.xz linux-dev-6d27c6dd1012e7be748ec05da78556319718fbe7.zip | |
Merge branch 'net-socket-Fix-potential-spectre-v1-gadgets'
Jeremy Cline says:
====================
net: socket: Fix potential spectre v1 gadgets
This fixes a pair of potential spectre v1 gadgets.
Note that because the speculation window is large, the policy is to stop
the speculative out-of-bounds load and not worry if the attack can be
completed with a dependent load or store[0].
[0] https://marc.info/?l=linux-kernel&m=152449131114778
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/socket.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/socket.c b/net/socket.c index 85633622c94d..8c24d5dc4bc8 100644 --- a/net/socket.c +++ b/net/socket.c @@ -89,6 +89,7 @@ #include <linux/magic.h> #include <linux/slab.h> #include <linux/xattr.h> +#include <linux/nospec.h> #include <linux/uaccess.h> #include <asm/unistd.h> @@ -2522,6 +2523,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) if (call < 1 || call > SYS_SENDMMSG) return -EINVAL; + call = array_index_nospec(call, SYS_SENDMMSG + 1); len = nargs[call]; if (len > sizeof(a)) @@ -2688,7 +2690,8 @@ EXPORT_SYMBOL(sock_unregister); bool sock_is_registered(int family) { - return family < NPROTO && rcu_access_pointer(net_families[family]); + return family < NPROTO && + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); } static int __init sock_init(void) |