'family' can be a user-controlled value, so sanitize it after the bounds
check to avoid speculative out-of-bounds access.
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
CVE-2017-5753
(backported from commit
e978de7a6d382ec378830ca2cf38e902df0b6d84)
[juergh: Adjusted for missing sock_is_registered().]
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
}
spin_lock(&net_family_lock);
- if (rcu_dereference_protected(net_families[ops->family],
- lockdep_is_held(&net_family_lock)))
+ if (rcu_dereference_protected(
+ net_families[array_index_nospec(ops->family, NPROTO)],
+ lockdep_is_held(&net_family_lock)))
err = -EEXIST;
else {
- rcu_assign_pointer(net_families[ops->family], ops);
+ rcu_assign_pointer(
+ net_families[array_index_nospec(ops->family, NPROTO)],
+ ops);
err = 0;
}
spin_unlock(&net_family_lock);