net: socket: fix potential spectre v1 gadget in socketcall
commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream. 'call' is a user-controlled value, so sanitize the array index after the bounds check to avoid speculating past the bounds of the 'nargs' array. Found with the help of Smatch: net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue 'nargs' [r] (local cap) Change-Id: Ic679a022968f1caa97c624ed413a8dae5b67c506 Cc: Josh Poimboeuf <jpoimboe@redhat.com> Signed-off-by: Jeremy Cline <jcline@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
This commit is contained in:
Jeremy Cline
syphyr
parent
28d1fdd34e
commit
e0b522e3e6
|
|
@ -90,6 +90,7 @@
|
|||
#include <linux/xattr.h>
|
||||
#include <linux/seemp_api.h>
|
||||
#include <linux/seemp_instrumentation.h>
|
||||
#include <linux/nospec.h>
|
||||
|
||||
#include <asm/uaccess.h>
|
||||
#include <asm/unistd.h>
|
||||
|
|
@ -2517,6 +2518,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
|
|||
|
||||
if (call < 1 || call > SYS_SENDMMSG)
|
||||
return -EINVAL;
|
||||
call = array_index_nospec(call, SYS_SENDMMSG + 1);
|
||||
|
||||
len = nargs[call];
|
||||
if (len > sizeof(a))
|
||||
|
|
|
|||
Loading…
Reference in New Issue