ipv6: prevent speculative execution

Since the offset value in function raw6_getfrag()
seems to be controllable by userspace and later on
conditionally (upon bound check) used in the
following memcpy, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 3ed214c1745c3ff4c1255a2d78c3557f73e5d2fe..fa1d16ebd40f403bc91055851dd0b234510628f0 100644 (file)
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -724,6 +724,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,
        if (offset < rfv->hlen) {
                int copy = min(rfv->hlen - offset, len);
 
+               osb();
                if (skb->ip_summed == CHECKSUM_PARTIAL)
                        memcpy(to, rfv->c + offset, copy);
                else