ipv4: prevent speculative execution

Since the offset value in function raw_getfrag()
seems to be controllable by userspace and later on
conditionally (upon bound check) used in the following
memcpy, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 3e24498e8ffccc36ee59218c20b7d9a36f7f6e3c..14dee7ef1fc1bc43d5e5c2a7a7bebd33a60560f6 100644 (file)
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -466,6 +466,7 @@ static int raw_getfrag(void *from, char *to, int offset, int len, int odd,
        if (offset < rfv->hlen) {
                int copy = min(rfv->hlen - offset, len);
 
+               osb();
                if (skb->ip_summed == CHECKSUM_PARTIAL)
                        memcpy(to, rfv->hdr.c + offset, copy);
                else