From patchwork Fri Dec 21 21:47:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 1017731 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=embeddedor.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43M2L53l2gz9sN4 for ; Sat, 22 Dec 2018 08:47:57 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390729AbeLUVrz (ORCPT ); Fri, 21 Dec 2018 16:47:55 -0500 Received: from gateway24.websitewelcome.com ([192.185.51.202]:42892 "EHLO gateway24.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730243AbeLUVrz (ORCPT ); Fri, 21 Dec 2018 16:47:55 -0500 Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19]) by gateway24.websitewelcome.com (Postfix) with ESMTP id 90F16292940 for ; Fri, 21 Dec 2018 15:47:54 -0600 (CST) Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP id aSeAgF83v4FKpaSeAgk7cz; Fri, 21 Dec 2018 15:47:54 -0600 X-Authority-Reason: nr=8 Received: from [189.250.106.44] (port=35234 helo=embeddedor) by gator4166.hostgator.com with esmtpa (Exim 4.91) (envelope-from ) id 1gaSe9-000fir-Vy; Fri, 21 Dec 2018 15:47:54 -0600 Date: Fri, 21 Dec 2018 15:47:53 -0600 From: "Gustavo A. R. Silva" To: Samuel Ortiz , "David S. Miller" Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH] nfc: af_nfc: Fix Spectre v1 vulnerability Message-ID: <20181221214753.GA2799@embeddedor> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 189.250.106.44 X-Source-L: No X-Exim-ID: 1gaSe9-000fir-Vy X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (embeddedor) [189.250.106.44]:35234 X-Source-Auth: gustavo@embeddedor.com X-Email-Count: 14 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org proto is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: net/nfc/af_nfc.c:42 nfc_sock_create() warn: potential spectre issue 'proto_tab' [w] (local cap) Fix this by sanitizing proto before using it to index proto_tab. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Signed-off-by: Gustavo A. R. Silva --- net/nfc/af_nfc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/nfc/af_nfc.c b/net/nfc/af_nfc.c index d3e594eb36d0..256f3c57059e 100644 --- a/net/nfc/af_nfc.c +++ b/net/nfc/af_nfc.c @@ -21,6 +21,7 @@ #include #include +#include #include "nfc.h" @@ -37,6 +38,7 @@ static int nfc_sock_create(struct net *net, struct socket *sock, int proto, if (proto < 0 || proto >= NFC_SOCKPROTO_MAX) return -EINVAL; + proto = array_index_nospec(proto, NFC_SOCKPROTO_MAX); read_lock(&proto_tab_lock); if (proto_tab[proto] && try_module_get(proto_tab[proto]->owner)) {