* [PATCH net] netlink: prevent potential spectre v1 gadgets
@ 2023-01-19 11:01 Eric Dumazet
2023-01-21 2:00 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Eric Dumazet @ 2023-01-19 11:01 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: netdev, eric.dumazet, Eric Dumazet
Most netlink attributes are parsed and validated from
__nla_validate_parse() or validate_nla()
u16 type = nla_type(nla);
if (type == 0 || type > maxtype) {
/* error or continue */
}
@type is then used as an array index and can be used
as a Spectre v1 gadget.
array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.
This should take care of vast majority of netlink uses,
but an audit is needed to take care of others where
validation is not yet centralized in core netlink functions.
Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
lib/nlattr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/nlattr.c b/lib/nlattr.c
index 9055e8b4d144e4c9fc0de6f6d8bbab0d7620932e..489e15bde5c1d248ba4914da2aa4839f1084f5b7 100644
--- a/lib/nlattr.c
+++ b/lib/nlattr.c
@@ -10,6 +10,7 @@
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/jiffies.h>
+#include <linux/nospec.h>
#include <linux/skbuff.h>
#include <linux/string.h>
#include <linux/types.h>
@@ -381,6 +382,7 @@ static int validate_nla(const struct nlattr *nla, int maxtype,
if (type <= 0 || type > maxtype)
return 0;
+ type = array_index_nospec(type, maxtype + 1);
pt = &policy[type];
BUG_ON(pt->type > NLA_TYPE_MAX);
@@ -596,6 +598,7 @@ static int __nla_validate_parse(const struct nlattr *head, int len, int maxtype,
}
continue;
}
+ type = array_index_nospec(type, maxtype + 1);
if (policy) {
int err = validate_nla(nla, maxtype, policy,
validate, extack, depth);
--
2.39.1.405.gd4c25cc71f-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] netlink: prevent potential spectre v1 gadgets
2023-01-19 11:01 [PATCH net] netlink: prevent potential spectre v1 gadgets Eric Dumazet
@ 2023-01-21 2:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-01-21 2:00 UTC (permalink / raw)
To: Eric Dumazet; +Cc: davem, kuba, pabeni, netdev, eric.dumazet
Hello:
This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 19 Jan 2023 11:01:50 +0000 you wrote:
> Most netlink attributes are parsed and validated from
> __nla_validate_parse() or validate_nla()
>
> u16 type = nla_type(nla);
>
> if (type == 0 || type > maxtype) {
> /* error or continue */
> }
>
> [...]
Here is the summary with links:
- [net] netlink: prevent potential spectre v1 gadgets
https://git.kernel.org/netdev/net/c/f0950402e8c7
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-01-21 2:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-19 11:01 [PATCH net] netlink: prevent potential spectre v1 gadgets Eric Dumazet
2023-01-21 2:00 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.