netlink: prevent potential spectre v1 gadgets (f0950402) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit f0950402 authored Jan 19, 2023 by

Eric Dumazet Committed by Jakub Kicinski Jan 20, 2023

netlink: prevent potential spectre v1 gadgets

Most netlink attributes are parsed and validated from
__nla_validate_parse() or validate_nla()

    u16 type = nla_type(nla);

    if (type == 0 || type > maxtype) {
        /* error or continue */
    }

@type is then used as an array index and can be used
as a Spectre v1 gadget.

array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.

This should take care of vast majority of netlink uses,
but an audit is needed to take care of others where
validation is not yet centralized in core netlink functions.

Fixes: bfa83a9e

 ("[NETLINK]: Type-safe netlink messages/attributes interface")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20230119110150.2678537-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 5deaa985

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 41b74e95
· Feb 03, 2023

mentioned in commit 41b74e95

mentioned in commit 41b74e95f297ac360ca7ed6bf200100717cb6c45

Toggle commit list
mirror @mirror
mentioned in commit 992e4ff7
· Feb 03, 2023

mentioned in commit 992e4ff7

mentioned in commit 992e4ff7116a77968039277b5d6aaa535c2f2184

Toggle commit list
mirror @mirror
mentioned in commit 3e5082b1
· Feb 07, 2023

mentioned in commit 3e5082b1

mentioned in commit 3e5082b1c66c7783fbcd79b5b178573230e528ff

Toggle commit list

Please register or to comment