ipv4: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel) Since the offset value in function raw_getfrag() seems to be controllable by userspace and later on conditionally (upon bound check) used in the following memcpy, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

ipv4: prevent speculative execution
CVE-2017-5753 (Spectre v1 Intel) Since the offset value in function raw_getfrag() seems to be controllable by userspace and later on conditionally (upon bound check) used in the following memcpy, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
98f3f8c3 · Elena Reshetova · Kleber Sacilotto de Souza · ce20b028 · 98f3f8c3
Commit 98f3f8c3 authored Dec 13, 2017 by Elena Reshetova Committed by Kleber Sacilotto de Souza Feb 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

net/ipv4/raw.c net/ipv4/raw.c +1 -0

No files found.
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -466,6 +466,7 @@ static int raw_getfrag(void *from, char *to, int offset, int len, int odd,
 	if (offset < rfv->hlen) {
 		int copy = min(rfv->hlen - offset, len);

+		osb();
 		if (skb->ip_summed == CHECKSUM_PARTIAL)
 			memcpy(to, rfv->hdr.c + offset, copy);
 		else