evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/net/ipv6
History
Gustavo A. R. Silva 6dc5050769 ip6mr: Fix potential Spectre v1 vulnerability 
[ Upstream commit 69d2c86766da2ded2b70281f1bf242cb0d58a778 ]

vr.mifi is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

net/ipv6/ip6mr.c:1845 ip6mr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
net/ipv6/ip6mr.c:1919 ip6mr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)

Fix this by sanitizing vr.mifi before using it to index mrt->vif_table'

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-13 10:05:27 +01:00
..
netfilter ipv6: orphan skbs in reassembly unit 2018-11-10 07:41:35 -08:00
addrconf.c net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs 2018-11-10 07:41:41 -08:00
addrconf_core.c
addrlabel.c
af_inet6.c
ah6.c ipsec: check return value of skb_to_sgvec always 2018-04-13 19:50:23 +02:00
anycast.c
datagram.c ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull 2018-07-28 07:45:03 +02:00
esp6.c ipsec: check return value of skb_to_sgvec always 2018-04-13 19:50:23 +02:00
exthdrs.c
exthdrs_core.c
exthdrs_offload.c
fib6_rules.c
icmp.c
ila.c
inet6_connection_sock.c
inet6_hashtables.c
ip6_checksum.c
ip6_fib.c
ip6_flowlabel.c
ip6_gre.c ip6_gre: better validate user provided tunnel names 2018-04-13 19:50:26 +02:00
ip6_icmp.c
ip6_input.c
ip6_offload.c gso_segment: Reset skb->mac_len after modifying network header 2018-09-29 03:08:52 -07:00
ip6_offload.h
ip6_output.c ipv6: Check available headroom in ip6_xmit() even without options 2018-12-17 21:55:08 +01:00
ip6_tunnel.c ip6_tunnel: be careful when accessing the inner header 2018-10-20 09:52:36 +02:00
ip6_udp_tunnel.c
ip6_vti.c vti6: flush x-netns xfrm cache when vti interface is removed 2018-11-10 07:41:38 -08:00
ip6mr.c ip6mr: Fix potential Spectre v1 vulnerability 2019-01-13 10:05:27 +01:00
ipcomp6.c
ipv6_sockglue.c
Kconfig ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV 2018-08-15 17:42:05 +02:00
Makefile
mcast.c ipv6: mcast: fix a use-after-free in inet6_mc_check 2018-11-10 07:41:41 -08:00
mcast_snoop.c
mip6.c
ndisc.c ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called 2018-11-10 07:41:41 -08:00
netfilter.c
output_core.c
ping.c
proc.c
protocol.c
raw.c
reassembly.c
route.c ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF 2018-11-27 16:07:57 +01:00
sit.c Revert "sit: reload iphdr in ipip6_rcv" 2018-07-22 14:25:52 +02:00
syncookies.c
sysctl_net_ipv6.c
tcp_ipv6.c tcp: increment sk_drops for dropped rx packets 2018-10-13 09:11:34 +02:00
tcpv6_offload.c
tunnel6.c
udp.c
udp_impl.h
udp_offload.c
udplite.c
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c xfrm6: call kfree_skb when skb is toobig 2018-11-10 07:41:32 -08:00
xfrm6_policy.c xfrm6: avoid potential infinite loop in _decode_session6() 2018-07-03 11:21:24 +02:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c