net: socket: Fix potential spectre v1 gadget in sock_is_registered

'family' can be a user-controlled value, so sanitize it after the bounds
check to avoid speculative out-of-bounds access.

Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
CVE-2017-5753

(backported from commit e978de7a6d382ec378830ca2cf38e902df0b6d84)
[juergh: Adjusted for missing sock_is_registered().]
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/net/socket.c b/net/socket.c
index 0f3ec95ce966cb74e0a50503dbd51be61a035952..a60ab4561e41e1c482397453b77ac24f2fa9e1ad 100644 (file)
--- a/net/socket.c
+++ b/net/socket.c
@@ -2543,11 +2543,14 @@ int sock_register(const struct net_proto_family *ops)
        }
 
        spin_lock(&net_family_lock);
-       if (rcu_dereference_protected(net_families[ops->family],
-                                     lockdep_is_held(&net_family_lock)))
+       if (rcu_dereference_protected(
+                   net_families[array_index_nospec(ops->family, NPROTO)],
+                   lockdep_is_held(&net_family_lock)))
                err = -EEXIST;
        else {
-               rcu_assign_pointer(net_families[ops->family], ops);
+               rcu_assign_pointer(
+                       net_families[array_index_nospec(ops->family, NPROTO)],
+                       ops);
                err = 0;
        }
        spin_unlock(&net_family_lock);