From: Jeremy Cline <jcline@redhat.com>
Date: Fri, 27 Jul 2018 22:43:02 +0000 (+0000)
Subject: net: socket: Fix potential spectre v1 gadget in sock_is_registered
X-Git-Tag: Ubuntu-4.15.0-49.53~51
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=1ce9332c6cc7a62bae28b63d2e136ed91bcd0b5b;p=mirror_ubuntu-bionic-kernel.git

net: socket: Fix potential spectre v1 gadget in sock_is_registered

'family' can be a user-controlled value, so sanitize it after the bounds
check to avoid speculative out-of-bounds access.

Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2017-5753

(backported from commit e978de7a6d382ec378830ca2cf38e902df0b6d84)
[juergh: Adjusted for missing sock_is_registered().]
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---

diff --git a/net/socket.c b/net/socket.c
index 0f3ec95ce966..a60ab4561e41 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2543,11 +2543,14 @@ int sock_register(const struct net_proto_family *ops)
 	}
 
 	spin_lock(&net_family_lock);
-	if (rcu_dereference_protected(net_families[ops->family],
-				      lockdep_is_held(&net_family_lock)))
+	if (rcu_dereference_protected(
+		    net_families[array_index_nospec(ops->family, NPROTO)],
+		    lockdep_is_held(&net_family_lock)))
 		err = -EEXIST;
 	else {
-		rcu_assign_pointer(net_families[ops->family], ops);
+		rcu_assign_pointer(
+			net_families[array_index_nospec(ops->family, NPROTO)],
+			ops);
 		err = 0;
 	}
 	spin_unlock(&net_family_lock);