net: mpls: prevent speculative execution

Since the index value in function mpls_route_input_rcu()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
platform_label, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 1f93a5978f2ad43fc81a16427e34d07ca2c0f34e..756c5e680b111be21230d484dae6d3d360ef6d7c 100644 (file)
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -48,6 +48,8 @@ static struct mpls_route *mpls_route_input_rcu(struct net *net, unsigned index)
        if (index < net->mpls.platform_labels) {
                struct mpls_route __rcu **platform_label =
                        rcu_dereference(net->mpls.platform_label);
+
+               osb();
                rt = rcu_dereference(platform_label[index]);
        }
        return rt;