On 1/6/2018 4:11 AM, Dan Williams wrote:
Static analysis reports that 'offset' may be a user controlled value that is used as a data dependency reading from a raw_frag_vec buffer. In order to avoid potential leaks of kernel memory values, block speculative execution of the instruction stream that could issue further reads based on an invalid '*(rfv->c + offset)' value. Based on an original patch by Elena Reshetova. Cc: "David S. Miller" <davem@xxxxxxxxxxxxx> Cc: Alexey Kuznetsov <kuznet@xxxxxxxxxxxxx> Cc: Hideaki YOSHIFUJI <yoshfuji@xxxxxxxxxxxxxx> Cc: netdev@xxxxxxxxxxxxxxx Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx> Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx> --- net/ipv4/raw.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 125c1eab3eaa..f72b20131a15 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c
[...]
@@ -472,17 +473,17 @@ static int raw_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb) { struct raw_frag_vec *rfv = from; + char *rfv_buf;- if (offset < rfv->hlen) {+ if ((rfv_buf = nospec_array_ptr(rfv->hdr.c, offset, rfv->hlen))) {
And here... [...] MBR, Sergei
