git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Jeremy Cline <jcline@redhat.com>
	Tue, 31 Jul 2018 21:13:16 +0000 (21:13 +0000)
committer	Stefan Bader <stefan.bader@canonical.com>
	Wed, 24 Apr 2019 08:09:07 +0000 (10:09 +0200)
commit	9cf388864120784a00b311a5875d5c6642efdece
tree	d32d7b8a2b269dd4e82973c95dbaec5f6cd42c6f	tree
parent	d66e9a0b0e882d891fe51cc6c03382421f808ff4	commit \| diff

netlink: Fix spectre v1 gadget in netlink_create()

'protocol' is a user-controlled value, so sanitize it after the bounds
check to avoid using it for speculative out-of-bounds access to arrays
indexed by it.

This addresses the following accesses detected with the help of smatch:

* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
  spectre issue 'nlk_cb_mutex_keys' [w]

* net/netlink/af_netlink.c:654 __netlink_create() warn: potential
  spectre issue 'nlk_cb_mutex_key_strings' [w]

* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre
  issue 'nl_table' [w] (local cap)

Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
CVE-2017-5753

(cherry picked from commit bc5b6c0b62b932626a135f516a41838c510c6eba)
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>