[Patch?==?utf-8?q? 2/3] Problem with upstream SPECTRE mitigation found in sendmsg/recvmsg syscalls

François Legal devel at thom.fr.eu.org
Wed Dec 16 09:43:23 CET 2020


From: François LEGAL <devel at thom.fr.eu.org>

The RTNET sendmsg/recvmsg protocol handlers used to call copy_to/from_user on the struct user_msghdr argument. The syscall entry code already does this copy, so calling again the copy_to/from_user in handlers triggers SPECTRE mitigation protection. This patch removes the calls in the handlers

This patch has not been tested

Signed-off-by: François LEGAL <devel at thom.fr.eu.org>
---
 kernel/drivers/net/stack/ipv4/udp/udp.c     | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/kernel/drivers/net/stack/ipv4/udp/udp.c b/kernel/drivers/net/stack/ipv4/udp/udp.c
index c26b4bd..546b358 100644
--- a/kernel/drivers/net/stack/ipv4/udp/udp.c
+++ b/kernel/drivers/net/stack/ipv4/udp/udp.c
@@ -386,7 +386,7 @@ int rt_udp_ioctl(struct rtdm_fd *fd, unsigned int request, void __user *arg)
 /***
  *  rt_udp_recvmsg
  */
-ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct user_msghdr *u_msg,
+ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct user_msghdr *msg,
 		       int msg_flags)
 {
 	struct rtsocket *sock = rtdm_fd_to_private(fd);
@@ -400,14 +400,9 @@ ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct user_msghdr *u_msg,
 	struct sockaddr_in sin;
 	nanosecs_rel_t timeout = sock->timeout;
 	int ret, flags;
-	struct user_msghdr _msg, *msg;
 	socklen_t namelen;
 	struct iovec iov_fast[RTDM_IOV_FASTMAX], *iov;
 
-	msg = rtnet_get_arg(fd, &_msg, u_msg, sizeof(_msg));
-	if (IS_ERR(msg))
-		return PTR_ERR(msg);
-
 	if (msg->msg_iovlen < 0)
 		return -EINVAL;
 
@@ -450,7 +445,7 @@ ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct user_msghdr *u_msg,
 			goto fail;
 
 		namelen = sizeof(sin);
-		ret = rtnet_put_arg(fd, &u_msg->msg_namelen, &namelen,
+		ret = rtnet_put_arg(fd, &msg->msg_namelen, &namelen,
 				    sizeof(namelen));
 		if (ret)
 			goto fail;
@@ -494,7 +489,7 @@ ssize_t rt_udp_recvmsg(struct rtdm_fd *fd, struct user_msghdr *u_msg,
 		flags |= MSG_TRUNC;
 
 	if (flags != msg->msg_flags) {
-		ret = rtnet_put_arg(fd, &u_msg->msg_flags, &flags,
+		ret = rtnet_put_arg(fd, &msg->msg_flags, &flags,
 				    sizeof(flags));
 		if (ret)
 			goto fail;
@@ -588,7 +583,6 @@ ssize_t rt_udp_sendmsg(struct rtdm_fd *fd, const struct user_msghdr *msg,
 	u16 dport;
 	int err;
 	rtdm_lockctx_t context;
-	struct user_msghdr _msg;
 	struct iovec iov_fast[RTDM_IOV_FASTMAX], *iov;
 
 	if (msg_flags & MSG_OOB) /* Mirror BSD error message compatibility */
@@ -597,10 +591,6 @@ ssize_t rt_udp_sendmsg(struct rtdm_fd *fd, const struct user_msghdr *msg,
 	if (msg_flags & ~(MSG_DONTROUTE | MSG_DONTWAIT))
 		return -EINVAL;
 
-	msg = rtnet_get_arg(fd, &_msg, msg, sizeof(*msg));
-	if (IS_ERR(msg))
-		return PTR_ERR(msg);
-
 	if (msg->msg_iovlen < 0)
 		return -EINVAL;




More information about the Xenomai mailing list