Skip to content

Commit acf784b

Browse files
GustavoARSilvadavem330
authored andcommitted
net: atm: Fix potential Spectre v1
ioc_data.dev_num can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: net/atm/lec.c:702 lec_vcc_attach() warn: potential spectre issue 'dev_lec' Fix this by sanitizing ioc_data.dev_num before using it to index dev_lec. Also, notice that there is another instance in which array dev_lec is being indexed using ioc_data.dev_num at line 705: lec_vcc_added(netdev_priv(dev_lec[ioc_data.dev_num]), Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: [email protected] Signed-off-by: Gustavo A. R. Silva <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent 2be147f commit acf784b

File tree

1 file changed

+7
-2
lines changed

1 file changed

+7
-2
lines changed

net/atm/lec.c

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = { 0x01, 0x80, 0xc2, 0x00, 0x00 };
4141
#include <linux/module.h>
4242
#include <linux/init.h>
4343

44+
/* Hardening for Spectre-v1 */
45+
#include <linux/nospec.h>
46+
4447
#include "lec.h"
4548
#include "lec_arpc.h"
4649
#include "resources.h"
@@ -687,8 +690,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg)
687690
bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc));
688691
if (bytes_left != 0)
689692
pr_info("copy from user failed for %d bytes\n", bytes_left);
690-
if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF ||
691-
!dev_lec[ioc_data.dev_num])
693+
if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF)
694+
return -EINVAL;
695+
ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF);
696+
if (!dev_lec[ioc_data.dev_num])
692697
return -EINVAL;
693698
vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL);
694699
if (!vpriv)

0 commit comments

Comments
 (0)