net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd()

req->sdiag_family is a user-controlled value that's used as an array
index. Sanitize it after the bounds check to avoid speculative
out-of-bounds array access.

This also protects the sock_is_registered() call, so this removes the
sanitize call there.

Fixes: e978de7a6d38 ("net: socket: Fix potential spectre v1 gadget in sock_is_registered")
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: konrad.wilk@oracle.com
Cc: jamie.iles@oracle.com
Cc: liran.alon@oracle.com
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index c37b5be7c5e4f0b4b91267b34c5ba867e90cbc69..3312a5849a974e372a49164abca8f7067a2ed7e7 100644 (file)
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -10,6 +10,7 @@
 #include <linux/kernel.h>
 #include <linux/tcp.h>
 #include <linux/workqueue.h>
+#include <linux/nospec.h>
 
 #include <linux/inet_diag.h>
 #include <linux/sock_diag.h>
@@ -218,6 +219,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
 
        if (req->sdiag_family >= AF_MAX)
                return -EINVAL;
+       req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX);
 
        if (sock_diag_handlers[req->sdiag_family] == NULL)
                sock_load_diag_module(req->sdiag_family, 0);

diff --git a/net/socket.c b/net/socket.c
index b91949168a87fa7f7bd576355635340107b68a2e..270f28264cb1b0c2453953d7146f90432934ac56 100644 (file)
--- a/net/socket.c
+++ b/net/socket.c
@@ -2697,8 +2697,7 @@ EXPORT_SYMBOL(sock_unregister);
 
 bool sock_is_registered(int family)
 {
-       return family < NPROTO &&
-               rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
+       return family < NPROTO && rcu_access_pointer(net_families[family]);
 }
 
 static int __init sock_init(void)