diff options
author | Jeff Moyer <jmoyer@redhat.com> | 2018-12-11 18:37:49 +0100 |
---|---|---|
committer | Jens Axboe <axboe@kernel.dk> | 2018-12-11 19:45:50 +0100 |
commit | a538e3ff9dabcdf6c3f477a373c629213d1c3066 (patch) | |
tree | 8f94a879f2bd8b990032bead3a410b1bf000558b /fs/aio.c | |
parent | block/bio: Do not zero user pages (diff) | |
download | linux-a538e3ff9dabcdf6c3f477a373c629213d1c3066.tar.xz linux-a538e3ff9dabcdf6c3f477a373c629213d1c3066.zip |
aio: fix spectre gadget in lookup_ioctx
Matthew pointed out that the ioctx_table is susceptible to spectre v1,
because the index can be controlled by an attacker. The below patch
should mitigate the attack for all of the aio system calls.
Cc: stable@vger.kernel.org
Reported-by: Matthew Wilcox <willy@infradead.org>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to '')
-rw-r--r-- | fs/aio.c | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -45,6 +45,7 @@ #include <asm/kmap_types.h> #include <linux/uaccess.h> +#include <linux/nospec.h> #include "internal.h" @@ -1038,6 +1039,7 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id) if (!table || id >= table->nr) goto out; + id = array_index_nospec(id, table->nr); ctx = rcu_dereference(table->table[id]); if (ctx && ctx->user_id == ctx_id) { if (percpu_ref_tryget_live(&ctx->users)) |