|
Message-ID: <151648240107.34747.10187199369712404586.stgit@dwillia2-desk3.amr.corp.intel.com> Date: Sat, 20 Jan 2018 13:06:41 -0800 From: Dan Williams <dan.j.williams@...el.com> To: tglx@...utronix.de Cc: linux-arch@...r.kernel.org, kernel-hardening@...ts.openwall.com, gregkh@...uxfoundation.org, Al Viro <viro@...iv.linux.org.uk>, torvalds@...ux-foundation.org, alan@...ux.intel.com Subject: [PATCH v4.1 08/10] vfs, fdtable: prevent bounds-check bypass via speculative execution 'fd' is a user controlled value that is used as a data dependency to read from the 'fdt->fd' array. In order to avoid potential leaks of kernel memory values, block speculative execution of the instruction stream that could issue reads based on an invalid 'file *' returned from __fcheck_files. Cc: Al Viro <viro@...iv.linux.org.uk> Co-developed-by: Elena Reshetova <elena.reshetova@...el.com> Signed-off-by: Dan Williams <dan.j.williams@...el.com> --- include/linux/fdtable.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h index 1c65817673db..9731f1a255db 100644 --- a/include/linux/fdtable.h +++ b/include/linux/fdtable.h @@ -10,6 +10,7 @@ #include <linux/compiler.h> #include <linux/spinlock.h> #include <linux/rcupdate.h> +#include <linux/nospec.h> #include <linux/types.h> #include <linux/init.h> #include <linux/fs.h> @@ -81,9 +82,11 @@ struct dentry; static inline struct file *__fcheck_files(struct files_struct *files, unsigned int fd) { struct fdtable *fdt = rcu_dereference_raw(files->fdt); + struct file __rcu **fdp; - if (fd < fdt->max_fds) - return rcu_dereference_raw(fdt->fd[fd]); + fdp = array_ptr(fdt->fd, fd, fdt->max_fds); + if (fdp) + return rcu_dereference_raw(*fdp); return NULL; }
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.