net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd()

req->sdiag_family is a user-controlled value that's used as an array
index. Sanitize it after the bounds check to avoid speculative
out-of-bounds array access.

This also protects the sock_is_registered() call, so this removes the
sanitize call there.

Fixes: e978de7a6d38 ("net: socket: Fix potential spectre v1 gadget in sock_is_registered")
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: konrad.wilk@oracle.com
Cc: jamie.iles@oracle.com
Cc: liran.alon@oracle.com
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
CVE-2017-5753

(backported from commit 66b51b0a0341fd42ce657739bdae0561b0410a85)
[juergh: Adjusted for missing sock_is_registered().]
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 146b50e30659daca3bdc4413d800890ef482f521..b2dfcf250fefea4c1baa00c7f74bc5372746834b 100644 (file)
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -10,6 +10,7 @@
 #include <linux/kernel.h>
 #include <linux/tcp.h>
 #include <linux/workqueue.h>
+#include <linux/nospec.h>
 
 #include <linux/inet_diag.h>
 #include <linux/sock_diag.h>
@@ -218,6 +219,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
 
        if (req->sdiag_family >= AF_MAX)
                return -EINVAL;
+       req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX);
 
        if (sock_diag_handlers[req->sdiag_family] == NULL)
                request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,

diff --git a/net/socket.c b/net/socket.c
index a60ab4561e41e1c482397453b77ac24f2fa9e1ad..0f3ec95ce966cb74e0a50503dbd51be61a035952 100644 (file)
--- a/net/socket.c
+++ b/net/socket.c
@@ -2543,14 +2543,11 @@ int sock_register(const struct net_proto_family *ops)
        }
 
        spin_lock(&net_family_lock);
-       if (rcu_dereference_protected(
-                   net_families[array_index_nospec(ops->family, NPROTO)],
-                   lockdep_is_held(&net_family_lock)))
+       if (rcu_dereference_protected(net_families[ops->family],
+                                     lockdep_is_held(&net_family_lock)))
                err = -EEXIST;
        else {
-               rcu_assign_pointer(
-                       net_families[array_index_nospec(ops->family, NPROTO)],
-                       ops);
+               rcu_assign_pointer(net_families[ops->family], ops);
                err = 0;
        }
        spin_unlock(&net_family_lock);