diff mbox series

[net] ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()

Message ID 20230120133040.3623463-1-edumazet@google.com (mailing list archive)
State Accepted
Commit 1d1d63b612801b3f0a39b7d4467cad0abd60e5c8
Delegated to: Netdev Maintainers
Headers show
Series [net] ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/cc_maintainers fail 1 blamed authors not CCed: fw@strlen.de; 3 maintainers not CCed: yoshfuji@linux-ipv6.org fw@strlen.de dsahern@kernel.org
netdev/build_clang success Errors and warnings before: 1 this patch: 1
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 13 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Eric Dumazet Jan. 20, 2023, 1:30 p.m. UTC 
if (!type)
		continue;
	if (type > RTAX_MAX)
		return -EINVAL;
	...
	metrics[type - 1] = val;

@type being used as an array index, we need to prevent
cpu speculation or risk leaking kernel memory content.

Fixes: 6cf9dfd3bd62 ("net: fib: move metrics parsing to a helper")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/ipv4/metrics.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org Jan. 24, 2023, 5:50 a.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Fri, 20 Jan 2023 13:30:40 +0000 you wrote:
> if (!type)
> 		continue;
> 	if (type > RTAX_MAX)
> 		return -EINVAL;
> 	...
> 	metrics[type - 1] = val;
> 
> [...]

Here is the summary with links:
  - [net] ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()
    https://git.kernel.org/netdev/net/c/1d1d63b61280

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv4/metrics.c b/net/ipv4/metrics.c
index 7fcfdfd8f9def057cbe163b8b395cd2379d98152..0e3ee1532848c8f49e0a342b7c8ecc1c27684e67 100644
--- a/net/ipv4/metrics.c
+++ b/net/ipv4/metrics.c
@@ -1,5 +1,6 @@ 
 // SPDX-License-Identifier: GPL-2.0-only
 #include <linux/netlink.h>
+#include <linux/nospec.h>
 #include <linux/rtnetlink.h>
 #include <linux/types.h>
 #include <net/ip.h>
@@ -25,6 +26,7 @@  static int ip_metrics_convert(struct net *net, struct nlattr *fc_mx,
 			return -EINVAL;
 		}
 
+		type = array_index_nospec(type, RTAX_MAX + 1);
 		if (type == RTAX_CC_ALGO) {
 			char tmp[TCP_CA_NAME_MAX];