]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit
projects / mirror_ubuntu-bionic-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e13f9a2) | patch
mpls, nospec: Sanitize array index in mpls_label_ok()
authorDan Williams <dan.j.williams@intel.com>
Thu, 8 Feb 2018 06:34:24 +0000 (22:34 -0800)
committerSeth Forshee <seth.forshee@canonical.com>
Fri, 23 Feb 2018 14:27:28 +0000 (08:27 -0600)
commit29a0a3836e7b9987f485ad003b53af762c2bb432
treed115ae74d08796d9553922b09f95a2f0f304b0fetree
parente13f9a2dc1c124670be6d0c6e3229e8121bcc727commit | diff
mpls, nospec: Sanitize array index in mpls_label_ok()

BugLink: http://bugs.launchpad.net/bugs/1751131
commit 3968523f855050b8195134da951b87c20bd66130 upstream.

mpls_label_ok() validates that the 'platform_label' array index from a
userspace netlink message payload is valid. Under speculation the
mpls_label_ok() result may not resolve in the CPU pipeline until after
the index is used to access an array element. Sanitize the index to zero
to prevent userspace-controlled arbitrary out-of-bounds speculation, a
precursor for a speculative execution side channel vulnerability.

Cc: <stable@vger.kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
net/mpls/af_mpls.c diff | blob | blame | history
ubuntu-bionic-kernel mirror