diff mbox series

[net] netlink: prevent potential spectre v1 gadgets

Message ID 20230119110150.2678537-1-edumazet@google.com (mailing list archive)
State Accepted
Commit f0950402e8c76e7dcb08563f1b4e8000fbc62455
Delegated to: Netdev Maintainers
Headers show
Series [net] netlink: prevent potential spectre v1 gadgets | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/cc_maintainers fail 1 blamed authors not CCed: tgraf@suug.ch; 3 maintainers not CCed: fw@strlen.de yang.lee@linux.alibaba.com tgraf@suug.ch
netdev/build_clang success Errors and warnings before: 1 this patch: 1
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 21 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Eric Dumazet Jan. 19, 2023, 11:01 a.m. UTC 
Most netlink attributes are parsed and validated from
__nla_validate_parse() or validate_nla()

    u16 type = nla_type(nla);

    if (type == 0 || type > maxtype) {
        /* error or continue */
    }

@type is then used as an array index and can be used
as a Spectre v1 gadget.

array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.

This should take care of vast majority of netlink uses,
but an audit is needed to take care of others where
validation is not yet centralized in core netlink functions.

Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 lib/nlattr.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org Jan. 21, 2023, 2 a.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Thu, 19 Jan 2023 11:01:50 +0000 you wrote:
> Most netlink attributes are parsed and validated from
> __nla_validate_parse() or validate_nla()
> 
>     u16 type = nla_type(nla);
> 
>     if (type == 0 || type > maxtype) {
>         /* error or continue */
>     }
> 
> [...]

Here is the summary with links:
  - [net] netlink: prevent potential spectre v1 gadgets
    https://git.kernel.org/netdev/net/c/f0950402e8c7

You are awesome, thank you!
diff mbox series

Patch

diff --git a/lib/nlattr.c b/lib/nlattr.c
index 9055e8b4d144e4c9fc0de6f6d8bbab0d7620932e..489e15bde5c1d248ba4914da2aa4839f1084f5b7 100644
--- a/lib/nlattr.c
+++ b/lib/nlattr.c
@@ -10,6 +10,7 @@ 
 #include <linux/kernel.h>
 #include <linux/errno.h>
 #include <linux/jiffies.h>
+#include <linux/nospec.h>
 #include <linux/skbuff.h>
 #include <linux/string.h>
 #include <linux/types.h>
@@ -381,6 +382,7 @@  static int validate_nla(const struct nlattr *nla, int maxtype,
 	if (type <= 0 || type > maxtype)
 		return 0;
 
+	type = array_index_nospec(type, maxtype + 1);
 	pt = &policy[type];
 
 	BUG_ON(pt->type > NLA_TYPE_MAX);
@@ -596,6 +598,7 @@  static int __nla_validate_parse(const struct nlattr *head, int len, int maxtype,
 			}
 			continue;
 		}
+		type = array_index_nospec(type, maxtype + 1);
 		if (policy) {
 			int err = validate_nla(nla, maxtype, policy,
 					       validate, extack, depth);