ipv6: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel) Since the offset value in function raw6_getfrag() seems to be controllable by userspace and later on conditionally (upon bound check) used in the following memcpy, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

ipv6: prevent speculative execution
CVE-2017-5753 (Spectre v1 Intel) Since the offset value in function raw6_getfrag() seems to be controllable by userspace and later on conditionally (upon bound check) used in the following memcpy, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
5603071f · Elena Reshetova · Kleber Sacilotto de Souza · 98f3f8c3 · 5603071f
Commit 5603071f authored Aug 30, 2017 by Elena Reshetova Committed by Kleber Sacilotto de Souza Feb 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

net/ipv6/raw.c net/ipv6/raw.c +1 -0

No files found.
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -717,6 +717,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,
 	if (offset < rfv->hlen) {
 		int copy = min(rfv->hlen - offset, len);
+		osb();
 		if (skb->ip_summed == CHECKSUM_PARTIAL)
 			memcpy(to, rfv->c + offset, copy);
 		else