On 07/29/2018 09:59 AM, Josh Poimboeuf wrote:
> On Fri, Jul 27, 2018 at 10:43:02PM +0000, Jeremy Cline wrote:
>> 'family' can be a user-controlled value, so sanitize it after the bounds
>> check to avoid speculative out-of-bounds access.
>>
>> Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
>> Cc: stable@xxxxxxxxxxxxxxx
>> Signed-off-by: Jeremy Cline <jcline@xxxxxxxxxx>
>> ---
>> net/socket.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/socket.c b/net/socket.c
>> index f15d5cbb3ba4..608e29ae6baf 100644
>> --- a/net/socket.c
>> +++ b/net/socket.c
>> @@ -2672,7 +2672,8 @@ EXPORT_SYMBOL(sock_unregister);
>>
>> bool sock_is_registered(int family)
>> {
>> - return family < NPROTO && rcu_access_pointer(net_families[family]);
>> + return family < NPROTO &&
>> + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
>> }
>>
>> static int __init sock_init(void)
>
> This is another one where I think it would be better to do the nospec
> clamp higher up the call chain. The untrusted 'family' value comes from
> __sock_diag_cmd():
>
> __sock_diag_cmd
> sock_load_diag_module
> sock_is_registered
>
> That function has a bounds check, and also uses the value in some other
> array accesses:
>
> if (req->sdiag_family >= AF_MAX)
> return -EINVAL;
>
> if (sock_diag_handlers[req->sdiag_family] == NULL)
> sock_load_diag_module(req->sdiag_family, 0);
>
> mutex_lock(&sock_diag_table_mutex);
> hndl = sock_diag_handlers[req->sdiag_family];
> ...
>
> So I think clamping 'req->sdiag_family' right after the bounds check
> would be the way to go.
>
Indeed, the clamp there would cover this clamp. I had a scheme that I
quickly fix all the gadgets in functions with local comparisons, but
clearly that's going to result in call chains with multiple clamps.
I can fix this in a follow-up with a clamp here, or respin this patch
set, whatever is easier for David.
Thanks for the review!
