--- /dev/null
+From foo@baz Fri Jan 4 19:53:50 CET 2019
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 11 Dec 2018 14:10:08 -0600
+Subject: ip6mr: Fix potential Spectre v1 vulnerability
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 69d2c86766da2ded2b70281f1bf242cb0d58a778 ]
+
+vr.mifi is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/ipv6/ip6mr.c:1845 ip6mr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+net/ipv6/ip6mr.c:1919 ip6mr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+
+Fix this by sanitizing vr.mifi before using it to index mrt->vif_table'
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6mr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -72,6 +72,8 @@ struct mr6_table {
+ #endif
+ };
+
++#include <linux/nospec.h>
++
+ struct ip6mr_rule {
+ struct fib_rule common;
+ };
+@@ -1873,6 +1875,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd
+ return -EFAULT;
+ if (vr.mifi >= mrt->maxvif)
+ return -EINVAL;
++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
+ read_lock(&mrt_lock);
+ vif = &mrt->vif6_table[vr.mifi];
+ if (MIF_EXISTS(mrt, vr.mifi)) {
+@@ -1947,6 +1950,7 @@ int ip6mr_compat_ioctl(struct sock *sk,
+ return -EFAULT;
+ if (vr.mifi >= mrt->maxvif)
+ return -EINVAL;
++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
+ read_lock(&mrt_lock);
+ vif = &mrt->vif6_table[vr.mifi];
+ if (MIF_EXISTS(mrt, vr.mifi)) {
--- /dev/null
+From foo@baz Fri Jan 4 19:53:50 CET 2019
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 10 Dec 2018 12:41:24 -0600
+Subject: ipv4: Fix potential Spectre v1 vulnerability
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 5648451e30a0d13d11796574919a359025d52cce ]
+
+vr.vifi is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/ipv4/ipmr.c:1616 ipmr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+net/ipv4/ipmr.c:1690 ipmr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+
+Fix this by sanitizing vr.vifi before using it to index mrt->vif_table'
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ipmr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -68,6 +68,8 @@
+ #include <linux/netconf.h>
+ #include <net/nexthop.h>
+
++#include <linux/nospec.h>
++
+ struct ipmr_rule {
+ struct fib_rule common;
+ };
+@@ -1562,6 +1564,7 @@ int ipmr_compat_ioctl(struct sock *sk, u
+ return -EFAULT;
+ if (vr.vifi >= mrt->maxvif)
+ return -EINVAL;
++ vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif);
+ read_lock(&mrt_lock);
+ vif = &mrt->vif_table[vr.vifi];
+ if (VIF_EXISTS(mrt, vr.vifi)) {
--- /dev/null
+From foo@baz Fri Jan 4 19:53:50 CET 2019
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 21 Dec 2018 14:49:01 -0600
+Subject: net: core: Fix Spectre v1 vulnerability
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 50d5258634aee2e62832aa086d2fb0de00e72b91 ]
+
+flen is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/core/filter.c:1101 bpf_check_classic() warn: potential spectre issue 'filter' [w]
+
+Fix this by sanitizing flen before using it to index filter at line 1101:
+
+ switch (filter[flen - 1].code) {
+
+and through pc at line 1040:
+
+ const struct sock_filter *ftest = &filter[pc];
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -51,6 +51,7 @@
+ #include <net/dst_metadata.h>
+ #include <net/dst.h>
+ #include <net/sock_reuseport.h>
++#include <linux/nospec.h>
+
+ /**
+ * sk_filter_trim_cap - run a packet through a socket filter
+@@ -786,6 +787,7 @@ static int bpf_check_classic(const struc
+ bool anc_found;
+ int pc;
+
++ flen = array_index_nospec(flen, BPF_MAXINSNS + 1);
+ /* Check the filter code now */
+ for (pc = 0; pc < flen; pc++) {
+ const struct sock_filter *ftest = &filter[pc];
--- /dev/null
+From foo@baz Fri Jan 4 19:53:50 CET 2019
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 21 Dec 2018 15:41:17 -0600
+Subject: phonet: af_phonet: Fix Spectre v1 vulnerability
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit d686026b1e6ed4ea27d630d8f54f9a694db088b2 ]
+
+protocol is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/phonet/af_phonet.c:48 phonet_proto_get() warn: potential spectre issue 'proto_tab' [w] (local cap)
+
+Fix this by sanitizing protocol before using it to index proto_tab.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/phonet/af_phonet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/phonet/af_phonet.c
++++ b/net/phonet/af_phonet.c
+@@ -34,6 +34,8 @@
+ #include <net/phonet/phonet.h>
+ #include <net/phonet/pn_dev.h>
+
++#include <linux/nospec.h>
++
+ /* Transport protocol registration */
+ static struct phonet_protocol *proto_tab[PHONET_NPROTO] __read_mostly;
+
+@@ -43,6 +45,7 @@ static struct phonet_protocol *phonet_pr
+
+ if (protocol >= PHONET_NPROTO)
+ return NULL;
++ protocol = array_index_nospec(protocol, PHONET_NPROTO);
+
+ rcu_read_lock();
+ pp = rcu_dereference(proto_tab[protocol]);
nfc-nxp-nci-include-unaligned.h-instead-of-access_ok.h.patch
+ip6mr-fix-potential-spectre-v1-vulnerability.patch
+ipv4-fix-potential-spectre-v1-vulnerability.patch
+net-core-fix-spectre-v1-vulnerability.patch
+phonet-af_phonet-fix-spectre-v1-vulnerability.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
