From: "Gustavo A. R. Silva" <gust...@embeddedor.com> Date: Fri, 21 Dec 2018 14:49:01 -0600
> flen is indirectly controlled by user-space, hence leading to > a potential exploitation of the Spectre variant 1 vulnerability. > > This issue was detected with the help of Smatch: > > net/core/filter.c:1101 bpf_check_classic() warn: potential spectre issue > 'filter' [w] > > Fix this by sanitizing flen before using it to index filter at line 1101: > > switch (filter[flen - 1].code) { > > and through pc at line 1040: > > const struct sock_filter *ftest = &filter[pc]; > > Notice that given that speculation windows are large, the policy is > to kill the speculation on the first load and not worry if it can be > completed with a dependent load/store [1]. > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > Signed-off-by: Gustavo A. R. Silva <gust...@embeddedor.com> BPF folks, I'll take this directly. Applied and queued up for -stable, thanks.