iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Gustavo A. R. Silva 0df23e9b9b net: atm: Fix potential Spectre v1 
commit acf784bd0ce257fe43da7ca266f7a10b837479d2 upstream.

ioc_data.dev_num can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:
net/atm/lec.c:702 lec_vcc_attach() warn: potential spectre issue
'dev_lec'

Fix this by sanitizing ioc_data.dev_num before using it to index
dev_lec. Also, notice that there is another instance in which array
dev_lec is being indexed using ioc_data.dev_num at line 705:
lec_vcc_added(netdev_priv(dev_lec[ioc_data.dev_num]),

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-16 10:06:51 +02:00
..
6lowpan
6lowpan: put mcast compression in an own function
2015-10-21 00:49:25 +02:00
9p
net/9p: Switch to wait_event_killable()
2017-11-30 08:37:25 +00:00
802
8021q
vlan: also check phy_driver ts_info for vlan's real device
2018-04-13 19:50:25 +02:00
appletalk
atm
net: atm: Fix potential Spectre v1
2018-05-16 10:06:51 +02:00
ax25
ax25: Fix segfault after sock connection timeout
2017-02-04 09:45:09 +01:00
batman-adv
batman-adv: handle race condition for claims between gateways
2018-03-22 09:23:21 +01:00
bluetooth
Bluetooth: Send HCI Set Event Mask Page 2 command only when needed
2018-04-13 19:50:21 +02:00
bridge
netfilter: bridge: ebt_among: add more missing match size checks
2018-04-08 11:51:59 +02:00
caif
net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
2017-07-05 14:37:14 +02:00
can
can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
2018-01-31 12:06:08 +01:00
ceph
libceph: validate con->state at the top of try_write()
2018-05-02 07:53:42 -07:00
core
net: fix uninit-value in __hw_addr_add_ex()
2018-05-16 10:06:50 +02:00
dcb
net/dcb: make dcbnl.c explicitly non-modular
2015-10-09 07:52:27 -07:00
dccp
dccp: initialize ireq->ir_mark
2018-05-16 10:06:50 +02:00
decnet
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
2018-02-25 11:03:38 +01:00
dns_resolver
KEYS: DNS: limit the length of option strings
2018-04-29 07:50:04 +02:00
dsa
net: dsa: select NET_SWITCHDEV
2017-11-15 17:13:11 +01:00
ethernet
net: introduce device min_header_len
2017-02-18 16:39:27 +01:00
hsr
net/hsr: fix a warning message
2015-11-23 14:56:15 -05:00
ieee802154
net: ieee802154: fix net_device reference release too early
2018-04-13 19:50:10 +02:00
ipv4
tcp: fix TCP_REPAIR_QUEUE bound checking
2018-05-16 10:06:50 +02:00
ipv6
ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
2018-04-29 07:50:06 +02:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 14:30:13 +02:00
irda
irda: do not leak initialized list.dev to userspace
2017-08-30 10:19:21 +02:00
iucv
net/iucv: Free memory obtained by kzalloc
2018-03-31 18:12:33 +02:00
key
af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
2018-04-13 19:50:01 +02:00
l2tp
l2tp: check sockaddr length in pppol2tp_connect()
2018-04-29 07:50:04 +02:00
l3mdev
net: Add netif_is_l3_slave
2015-10-07 04:27:43 -07:00
lapb
llc
llc: fix NULL pointer deref for SOCK_ZAPPED
2018-04-29 07:50:06 +02:00
mac80211
mac80211: Add RX flag to indicate ICV stripped
2018-05-16 10:06:46 +02:00
mac802154
mac802154: llsec: use kzfree
2015-10-21 00:49:24 +02:00
mpls
mpls, nospec: Sanitize array index in mpls_label_ok()
2018-03-11 16:19:47 +01:00
netfilter
ipvs: fix rtnl_lock lockups caused by start_sync_thread
2018-05-16 10:06:49 +02:00
netlabel
netlabel: add address family checks to netlbl_{sock,req}_delattr()
2016-08-20 18:09:22 +02:00
netlink
netlink: fix uninit-value in netlink_sendmsg
2018-05-16 10:06:50 +02:00
netrom
nfc
NFC: fix device-allocation error return
2017-11-30 08:37:23 +00:00
openvswitch
openvswitch: Delete conntrack entry clashing with an expectation.
2018-03-24 10:58:43 +01:00
packet
net: af_packet: fix race in PACKET_{R|T}X_RING
2018-04-29 07:50:06 +02:00
phonet
phonet: properly unshare skbs in phonet_rcv()
2016-01-31 11:29:00 -08:00
rds
rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
2018-04-13 19:50:13 +02:00
rfkill
rfkill: gpio: fix memory leak in probe error path
2018-05-16 10:06:51 +02:00
rose
rxrpc
rxrpc: check return value of skb_to_sgvec always
2018-04-13 19:50:23 +02:00
sched
net sched actions: fix dumping which requires several messages to user space
2018-04-13 19:50:27 +02:00
sctp
sctp: do not check port in sctp_inet6_cmp_addr
2018-04-29 07:50:05 +02:00
sunrpc
rpc_pipefs: fix double-dput()
2018-04-24 09:32:11 +02:00
switchdev
switchdev: pass pointer to fib_info instead of copy
2016-06-24 10:18:16 -07:00
tipc
tipc: add policy for TIPC_NLA_NET_ADDR
2018-04-29 07:50:06 +02:00
unix
net/unix: don't show information about sockets from other namespaces
2017-11-18 11:11:06 +01:00
vmw_vsock
vsock: use new wait API for vsock_stream_sendmsg()
2017-11-30 08:37:19 +00:00
wimax
wireless
nl80211: Sanitize array index in parse_txq_params
2018-02-25 11:03:53 +01:00
x25
net: x25: fix one potential use-after-free issue
2018-04-13 19:50:07 +02:00
xfrm
xfrm_user: fix return value from xfrm_user_rcv_msg
2018-05-16 10:06:51 +02:00
compat.c
audit: log 32-bit socketcalls
2017-10-08 10:14:18 +02:00
Kconfig
Make DST_CACHE a silent config option
2018-02-25 11:03:37 +01:00
Makefile
net: Introduce L3 Master device abstraction
2015-09-29 20:40:32 -07:00
socket.c
bpf: introduce BPF_JIT_ALWAYS_ON config
2018-02-03 17:04:24 +01:00
sysctl_net.c
net: Use ns_capable_noaudit() when determining net sysctl permissions
2016-09-15 08:27:50 +02:00