From: Elena Reshetova <elena.reshetova@intel.com>
Date: Thu, 4 Jan 2018 10:12:38 +0000 (-0800)
Subject: net: mpls: prevent speculative execution
X-Git-Tag: v4.1.12-124.31.3~1372
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=89d45d75c5f403d41983711b5fe88e34cb6661b7;p=users%2Fjedix%2Flinux-maple.git

net: mpls: prevent speculative execution

Since the index value in function mpls_route_input_rcu()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
platform_label, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
---

diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 1f93a5978f2a..756c5e680b11 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -48,6 +48,8 @@ static struct mpls_route *mpls_route_input_rcu(struct net *net, unsigned index)
 	if (index < net->mpls.platform_labels) {
 		struct mpls_route __rcu **platform_label =
 			rcu_dereference(net->mpls.platform_label);
+
+		osb();
 		rt = rcu_dereference(platform_label[index]);
 	}
 	return rt;