linux/net
Dan Williams 259d8c1e98 nl80211: Sanitize array index in parse_txq_params
Wireless drivers rely on parse_txq_params to validate that txq_params->ac
is less than NL80211_NUM_ACS by the time the low-level driver's ->conf_tx()
handler is called. Use a new helper, array_index_nospec(), to sanitize
txq_params->ac with respect to speculation. I.e. ensure that any
speculation into ->conf_tx() handlers is done with a value of
txq_params->ac that is within the bounds of [0, NL80211_NUM_ACS).

Reported-by: Christian Lamparter <chunkeey@gmail.com>
Reported-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-arch@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: linux-wireless@vger.kernel.org
Cc: torvalds@linux-foundation.org
Cc: "David S. Miller" <davem@davemloft.net>
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727419584.33451.7700736761686184303.stgit@dwillia2-desk3.amr.corp.intel.com
2018-01-30 21:54:32 +01:00
..
6lowpan License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
9p 9p: add missing module license for xen transport 2018-01-15 13:13:53 -05:00
802 treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
8021q 8021q: fix a memory leak for VLAN 0 device 2018-01-10 15:31:07 -05:00
appletalk treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
atm treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
ax25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
batman-adv batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq 2017-12-04 11:47:33 +01:00
bluetooth Bluetooth: Prevent stack info leak from the EFS element. 2018-01-04 17:01:01 +01:00
bpf
bridge net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks 2017-12-18 13:29:01 -05:00
caif caif_usb: use strlcpy() instead of strncpy() 2018-01-10 15:06:14 -05:00
can can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once 2018-01-18 09:32:54 +01:00
ceph We have a set of file locking improvements from Zheng, rbd rw/ro 2017-11-21 05:38:32 -10:00
core net: qdisc_pkt_len_init() should be more robust 2018-01-22 16:00:05 -05:00
dcb
dccp dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state 2018-01-26 11:15:00 -05:00
decnet treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
dns_resolver
dsa net: remove duplicate includes 2017-12-13 13:18:46 -05:00
ethernet
hsr
ieee802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
ife MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
ipv4 net: don't call update_pmtu unconditionally 2018-01-25 16:27:34 -05:00
ipv6 net: don't call update_pmtu unconditionally 2018-01-25 16:27:34 -05:00
ipx Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
iucv
kcm kcm: Check if sk_user_data already set in kcm_attach 2018-01-24 15:54:30 -05:00
key af_key: Fix memory leak in key_notify_policy. 2018-01-10 09:45:11 +01:00
l2tp l2tp: exit_net cleanup check added 2017-11-14 15:45:53 +09:00
l3mdev
lapb treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
llc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
mac80211 mac80211: mesh: drop frames appearing to be from us 2018-01-04 15:51:53 +01:00
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
mpls Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
ncsi treewide: setup_timer() -> timer_setup() (2 field) 2017-11-21 15:57:09 -08:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-08 20:21:39 -08:00
netlabel net/netlabel: Add list_next_rcu() in rcu_dereference(). 2017-11-18 10:32:41 +09:00
netlink netlink: reset extack earlier in netlink_rcv_skb 2018-01-18 15:14:51 -05:00
netrom treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
nfc treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
nsh openvswitch: enable NSH support 2017-11-08 16:12:33 +09:00
openvswitch Revert "openvswitch: Add erspan tunnel support." 2018-01-15 14:33:16 -05:00
packet net/packet: fix a race in packet_bind() and packet_notifier() 2017-11-28 11:13:30 -05:00
phonet phonet: exit_net cleanup check added 2017-11-14 15:45:53 +09:00
psample MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-10 10:00:18 +09:00
rds rds: tcp: compute m_ack_seq as offset from ->write_seq 2018-01-22 15:43:54 -05:00
rfkill
rose treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
rxrpc rxrpc: Use correct netns source in rxrpc_release_sock() 2017-12-03 10:05:20 -05:00
sched net: sched: em_nbyte: don't add the data offset twice 2018-01-24 14:52:40 -05:00
sctp gso: validate gso_type in GSO handlers 2018-01-22 16:01:30 -05:00
smc net/smc: Fix preinitialization of buf_desc in __smc_buf_create() 2017-11-24 01:33:34 +09:00
strparser strparser: Call sock_owned_by_user_nocheck 2017-12-28 14:28:22 -05:00
sunrpc NFS client fixes for Linux 4.15-rc4 2017-12-16 13:12:53 -08:00
switchdev net: bridge: Add/del switchdev object on host join/leave 2017-11-10 13:41:40 +09:00
tipc tipc: fix a memory leak in tipc_nl_node_get_link() 2018-01-15 13:45:50 -05:00
tls tls: Correct length of scatterlist in tls_sw_sendpage 2018-01-22 16:25:21 -05:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
vmw_vsock VSOCK: set POLLOUT | POLLWRNORM for TCP_CLOSING 2018-01-26 11:16:27 -05:00
wimax License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wireless nl80211: Sanitize array index in parse_txq_params 2018-01-30 21:54:32 +01:00
x25 treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
xfrm xfrm: fix boolean assignment in xfrm_get_type_offload 2018-01-23 10:56:36 +01:00
compat.c
Kconfig
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
socket.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-10 17:55:42 -08:00
sysctl_net.c