On Fri, Jul 27, 2018 at 10:43:01PM +0000, Jeremy Cline wrote: > 'call' is a user-controlled value, so sanitize the array index after the > bounds check to avoid speculating past the bounds of the 'nargs' array. > > Found with the help of Smatch: > > net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue > 'nargs' [r] (local cap) > > Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Jeremy Cline <jcline@xxxxxxxxxx> > --- > net/socket.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/socket.c b/net/socket.c > index 3015ddace71e..f15d5cbb3ba4 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -89,6 +89,7 @@ > #include <linux/magic.h> > #include <linux/slab.h> > #include <linux/xattr.h> > +#include <linux/nospec.h> > > #include <linux/uaccess.h> > #include <asm/unistd.h> > @@ -2504,6 +2505,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) > > if (call < 1 || call > SYS_SENDMMSG) > return -EINVAL; > + call = array_index_nospec(call, SYS_SENDMMSG + 1); > > len = nargs[call]; > if (len > sizeof(a)) Reviewed-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx> -- Josh