4.17-stable review patch. If anyone has any objections, please let me know.
------------------ From: Jeremy Cline <[email protected]> commit e978de7a6d382ec378830ca2cf38e902df0b6d84 upstream. 'family' can be a user-controlled value, so sanitize it after the bounds check to avoid speculative out-of-bounds access. Cc: Josh Poimboeuf <[email protected]> Cc: [email protected] Signed-off-by: Jeremy Cline <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- net/socket.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/socket.c +++ b/net/socket.c @@ -2694,7 +2694,8 @@ EXPORT_SYMBOL(sock_unregister); bool sock_is_registered(int family) { - return family < NPROTO && rcu_access_pointer(net_families[family]); + return family < NPROTO && + rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]); } static int __init sock_init(void)
