Patch "mpls, nospec: Sanitize array index in mpls_label_ok()" has been added to the 4.14-stable tree - Linux-stable-mirror

20 Feb 2018

This is a note to let you know that I've just added the patch titled
mpls, nospec: Sanitize array index in mpls_label_ok()
to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is:
     mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let stable@vger.kernel.org know about it.
...
From 3968523f855050b8195134da951b87c20bd66130 Mon Sep 17 00:00:00 2001
From: Dan Williams dan.j.williams@intel.com
Date: Wed, 7 Feb 2018 22:34:24 -0800
Subject: mpls, nospec: Sanitize array index in mpls_label_ok()
From: Dan Williams dan.j.williams@intel.com
commit 3968523f855050b8195134da951b87c20bd66130 upstream.
mpls_label_ok() validates that the 'platform_label' array index from a
userspace netlink message payload is valid. Under speculation the
mpls_label_ok() result may not resolve in the CPU pipeline until after
the index is used to access an array element. Sanitize the index to zero
to prevent userspace-controlled arbitrary out-of-bounds speculation, a
precursor for a speculative execution side channel vulnerability.
Cc: stable@vger.kernel.org
Cc: "David S. Miller" davem@davemloft.net
Cc: Eric W. Biederman ebiederm@xmission.com
Signed-off-by: Dan Williams dan.j.williams@intel.com
Signed-off-by: David S. Miller davem@davemloft.net
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 net/mpls/af_mpls.c |   24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -8,6 +8,7 @@
 #include <linux/ipv6.h>
 #include <linux/mpls.h>
 #include <linux/netconf.h>
+#include <linux/nospec.h>
 #include <linux/vmalloc.h>
 #include <linux/percpu.h>
 #include <net/ip.h>
@@ -904,24 +905,27 @@ errout:
    return err;
 }
-static bool mpls_label_ok(struct net *net, unsigned int index,
+static bool mpls_label_ok(struct net *net, unsigned int *index,
    		  struct netlink_ext_ack *extack)
 {
+	bool is_ok = true;
+
    /* Reserved labels may not be set */
-	if (index < MPLS_LABEL_FIRST_UNRESERVED) {
+	if (*index < MPLS_LABEL_FIRST_UNRESERVED) {
    	NL_SET_ERR_MSG(extack,
    		       "Invalid label - must be MPLS_LABEL_FIRST_UNRESERVED or higher");
-		return false;
+		is_ok = false;
    }
/* The full 20 bit range may not be supported. */
-	if (index >= net->mpls.platform_labels) {
+	if (is_ok && *index >= net->mpls.platform_labels) {
    	NL_SET_ERR_MSG(extack,
    		       "Label >= configured maximum in platform_labels");
-		return false;
+		is_ok = false;
    }
-	return true;
+	*index = array_index_nospec(*index, net->mpls.platform_labels);
+	return is_ok;
 }
static int mpls_route_add(struct mpls_route_config *cfg,
@@ -944,7 +948,7 @@ static int mpls_route_add(struct mpls_ro
    	index = find_free_label(net);
    }
-	if (!mpls_label_ok(net, index, extack))
+	if (!mpls_label_ok(net, &index, extack))
    	goto errout;
/* Append makes no sense with mpls */
@@ -1021,7 +1025,7 @@ static int mpls_route_del(struct mpls_ro
index = cfg->rc_label;
-	if (!mpls_label_ok(net, index, extack))
+	if (!mpls_label_ok(net, &index, extack))
    	goto errout;
mpls_route_update(net, index, NULL, &cfg->rc_nlinfo);
@@ -1779,7 +1783,7 @@ static int rtm_to_route_config(struct sk
    			goto errout;
if (!mpls_label_ok(cfg->rc_nlinfo.nl_net,
-					   cfg->rc_label, extack))
+					   &cfg->rc_label, extack))
    			goto errout;
    		break;
    	}
@@ -2106,7 +2110,7 @@ static int mpls_getroute(struct sk_buff
    		goto errout;
    	}
-		if (!mpls_label_ok(net, in_label, extack)) {
+		if (!mpls_label_ok(net, &in_label, extack)) {
    		err = -EINVAL;
    		goto errout;
    	}
Patches currently in stable-queue which might be from dan.j.williams@intel.com are
queue-4.14/x86-entry-64-interleave-xor-register-clearing-with-push-instructions.patch
queue-4.14/nospec-move-array_index_nospec-parameter-checking-into-separate-macro.patch
queue-4.14/x86-entry-64-merge-the-pop_c_regs-and-pop_extra_regs-macros-into-a-single-pop_regs-macro.patch
queue-4.14/kvm-nvmx-set-the-cpu_based_use_msr_bitmaps-if-we-have-a-valid-l02-msr-bitmap.patch
queue-4.14/x86-nvmx-properly-set-spec_ctrl-and-pred_cmd-before-merging-msrs.patch
queue-4.14/x86-speculation-add-asm-msr-index.h-dependency.patch
queue-4.14/mm-fix-memory-size-alignment-in-devm_memremap_pages_release.patch
queue-4.14/x86-entry-64-use-push_and_clean_regs-in-more-cases.patch
queue-4.14/x86-speculation-update-speculation-control-microcode-blacklist.patch
queue-4.14/x86-entry-64-clear-registers-for-exceptions-interrupts-to-reduce-speculation-attack-surface.patch
queue-4.14/x86-speculation-correct-speculation-control-microcode-blacklist-again.patch
queue-4.14/x86-entry-64-merge-save_c_regs-and-save_extra_regs-remove-unused-extensions.patch
queue-4.14/x86-entry-64-indent-push_and_clear_regs-and-pop_regs-properly.patch
queue-4.14/x86-speculation-fix-up-array_index_nospec_mask-asm-constraint.patch
queue-4.14/x86-entry-64-clear-extra-registers-beyond-syscall-arguments-to-reduce-speculation-attack-surface.patch
queue-4.14/kvm-x86-reduce-retpoline-performance-impact-in-slot_handle_level_range-by-always-inlining-iterator-helper-methods.patch
queue-4.14/x86-mm-pti-fix-pti-comment-in-entry_syscall_64.patch
queue-4.14/x86-entry-64-get-rid-of-the-alloc_pt_gpregs_on_stack-and-save_and_clear_regs-macros.patch
queue-4.14/mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch
queue-4.14/x86-speculation-clean-up-various-spectre-related-details.patch
queue-4.14/x86-entry-64-introduce-the-push_and_clean_regs-macro.patch
queue-4.14/revert-x86-speculation-simplify-indirect_branch_prediction_barrier.patch
queue-4.14/x86-entry-64-compat-clear-registers-for-compat-syscalls-to-reduce-speculation-attack-surface.patch
queue-4.14/x86-entry-64-fix-cr3-restore-in-paranoid_exit.patch

    