From 3f0911868f7c2f2ac3c7cd3fd4c3313449fc851f Mon Sep 17 00:00:00 2001
From: Elena Reshetova <elena.reshetova@intel.com>
Date: Wed, 30 Aug 2017 13:48:35 +0300
Subject: [PATCH 85/89] ipv6: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the offset value in function raw6_getfrag()
seems to be controllable by userspace and later on
conditionally (upon bound check) used in the
following memcpy, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/ipv6/raw.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 60be012fe708..04480e22d859 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -726,6 +726,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,
 	if (offset < rfv->hlen) {
 		int copy = min(rfv->hlen - offset, len);
 
+		osb();
 		if (skb->ip_summed == CHECKSUM_PARTIAL)
 			memcpy(to, rfv->c + offset, copy);
 		else
-- 
2.15.1