On x86-32, after decoding a frame pointer to get a regs address,
regs_size() dereferences the regs pointer when it checks regs->cs to see
if the regs are user mode. This is dangerous because it's possible that
what looks like a decoded frame pointer is actually a corrupt value, and
we don't want the unwinder to make things worse.
Instead of calling regs_size() on an unsafe pointer, just assume they're
kernel regs to start with. Later, once it's safe to access the regs, we
can do the user mode check and corresponding safety check for the
remaining two regs.
Signed-off-by: Andy Whitcroft <email address hidden>
3ee43cb...
by
Elena Reshetova <email address hidden>
userns: prevent speculative execution
CVE-2017-5753 (Spectre v1 Intel)
Since the pos value in function m_start()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
map->extent, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.
Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
68b1d65...
by
Elena Reshetova <email address hidden>
udf: prevent speculative execution
CVE-2017-5753 (Spectre v1 Intel)
Since the eahd->appAttrLocation value in function
udf_add_extendedattr() seems to be controllable by
userspace and later on conditionally (upon bound check)
used in following memmove, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.
Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
9abafe1...
by
Elena Reshetova <email address hidden>
net: mpls: prevent speculative execution
CVE-2017-5753 (Spectre v1 Intel)
Since the index value in function mpls_route_input_rcu()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
platform_label, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.
Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
303e4e1...
by
Elena Reshetova <email address hidden>
fs: prevent speculative execution
CVE-2017-5753 (Spectre v1 Intel)
Since the fd value in function __fcheck_files()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
fdt->fd, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.
Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
2a05491...
by
Elena Reshetova <email address hidden>
ipv6: prevent speculative execution
CVE-2017-5753 (Spectre v1 Intel)
Since the offset value in function raw6_getfrag()
seems to be controllable by userspace and later on
conditionally (upon bound check) used in the
following memcpy, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.
Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>
6e14d74...
by
Elena Reshetova <email address hidden>
ipv4: prevent speculative execution
CVE-2017-5753 (Spectre v1 Intel)
Since the offset value in function raw_getfrag()
seems to be controllable by userspace and later on
conditionally (upon bound check) used in the following
memcpy, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.
Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>