From: Eric Dumazet Date: Fri, 20 Jan 2023 13:30:40 +0000 (+0000) Subject: ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() X-Git-Tag: baikal/aarch64/sdk5.9~46 X-Git-Url: https://git.baikalelectronics.ru/?a=commitdiff_plain;h=54267467b4bb1615a3a62cabe147daebd2cd5b29;p=kernel.git ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() [ Upstream commit 1d1d63b612801b3f0a39b7d4467cad0abd60e5c8 ] if (!type) continue; if (type > RTAX_MAX) return -EINVAL; ... metrics[type - 1] = val; @type being used as an array index, we need to prevent cpu speculation or risk leaking kernel memory content. Fixes: cd8f53800078 ("net: fib: move metrics parsing to a helper") Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20230120133040.3623463-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- diff --git a/net/ipv4/metrics.c b/net/ipv4/metrics.c index 3205d5f7c8c94..4966ac2aaf87d 100644 --- a/net/ipv4/metrics.c +++ b/net/ipv4/metrics.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only #include +#include #include #include #include @@ -28,6 +29,7 @@ static int ip_metrics_convert(struct net *net, struct nlattr *fc_mx, return -EINVAL; } + type = array_index_nospec(type, RTAX_MAX + 1); if (type == RTAX_CC_ALGO) { char tmp[TCP_CA_NAME_MAX];