Patch "xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 12 Feb 2023 14:56:37 -0500

This is a note to let you know that I've just added the patch titled

    xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm-compat-prevent-potential-spectre-v1-gadget-in-x.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cf66cdd2a9f692b1f9bff5411bbcc71c87244cdb
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Fri Jan 20 13:02:49 2023 +0000

    xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr()
    
    [ Upstream commit b6ee896385380aa621102e8ea402ba12db1cabff ]
    
      int type = nla_type(nla);
    
      if (type > XFRMA_MAX) {
                return -EOPNOTSUPP;
      }
    
    @type is then used as an array index and can be used
    as a Spectre v1 gadget.
    
      if (nla_len(nla) < compat_policy[type].len) {
    
    array_index_nospec() can be used to prevent leaking
    content of kernel memory to malicious users.
    
    Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator")
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Cc: Dmitry Safonov <dima@xxxxxxxxxx>
    Cc: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Reviewed-by: Dmitry Safonov <dima@xxxxxxxxxx>
    Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
index 12405aa5bce84..8cbf45a8bcdc2 100644
--- a/net/xfrm/xfrm_compat.c
+++ b/net/xfrm/xfrm_compat.c
@@ -5,6 +5,7 @@
  * Based on code and translator idea by: Florian Westphal <fw@xxxxxxxxx>
  */
 #include <linux/compat.h>
+#include <linux/nospec.h>
 #include <linux/xfrm.h>
 #include <net/xfrm.h>
 
@@ -437,6 +438,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla,
 		NL_SET_ERR_MSG(extack, "Bad attribute");
 		return -EOPNOTSUPP;
 	}
+	type = array_index_nospec(type, XFRMA_MAX + 1);
 	if (nla_len(nla) < compat_policy[type].len) {
 		NL_SET_ERR_MSG(extack, "Attribute bad length");
 		return -EOPNOTSUPP;






