diff mbox series

fs: prevent out-of-bounds array speculation when closing a file descriptor

Message ID 20200723185921.1847880-1-tytso@mit.edu (mailing list archive)
State New, archived
Headers show
Series fs: prevent out-of-bounds array speculation when closing a file descriptor | expand

Commit Message

Theodore Ts'o July 23, 2020, 6:59 p.m. UTC 
Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 fs/file.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Sedat Dilek July 24, 2020, 1:18 a.m. UTC | #1 
On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
>
> Google-Bug-Id: 114199369
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+

- Sedat -

> ---
>  fs/file.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/fs/file.c b/fs/file.c
> index abb8b7081d7a..73189eaad1df 100644
> --- a/fs/file.c
> +++ b/fs/file.c
> @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
>         fdt = files_fdtable(files);
>         if (fd >= fdt->max_fds)
>                 goto out_unlock;
> +       fd = array_index_nospec(fd, fdt->max_fds);
>         file = fdt->fd[fd];
>         if (!file)
>                 goto out_unlock;
> --
> 2.24.1
>
Sedat Dilek Jan. 8, 2021, 12:59 p.m. UTC | #2 
On Fri, Jul 24, 2020 at 3:18 AM Sedat Dilek <sedat.dilek@gmail.com> wrote:
>
> On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
> >
> > Google-Bug-Id: 114199369
> > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
>
> Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+
>

Ping.

What is the status of this patch?

 - Sedat -

>
> > ---
> >  fs/file.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/fs/file.c b/fs/file.c
> > index abb8b7081d7a..73189eaad1df 100644
> > --- a/fs/file.c
> > +++ b/fs/file.cfs: prevent out-of-bounds array speculation when closing a file descriptor
> > @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
> >         fdt = files_fdtable(files);
> >         if (fd >= fdt->max_fds)
> >                 goto out_unlock;fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor
> > +       fd = array_index_nospec(fd, fdt->max_fds);
> >         file = fdt->fd[fd];
> >         if (!file)
> >                 goto out_unlock;
> > --
> > 2.24.1
> >
Sedat Dilek April 8, 2021, 12:15 p.m. UTC | #3 
On Fri, Jan 8, 2021 at 1:59 PM Sedat Dilek <sedat.dilek@gmail.com> wrote:
>
> On Fri, Jul 24, 2020 at 3:18 AM Sedat Dilek <sedat.dilek@gmail.com> wrote:
> >
> > On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
> > >
> > > Google-Bug-Id: 114199369
> > > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> >
> > Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+
> >
>
> Ping.
>
> What is the status of this patch?
>

Friendly ping again.

- Sedat -

>
> >
> > > ---
> > >  fs/file.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/fs/file.c b/fs/file.c
> > > index abb8b7081d7a..73189eaad1df 100644
> > > --- a/fs/file.c
> > > +++ b/fs/file.cfs: prevent out-of-bounds array speculation when closing a file descriptor
> > > @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
> > >         fdt = files_fdtable(files);
> > >         if (fd >= fdt->max_fds)
> > >                 goto out_unlock;fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor
> > > +       fd = array_index_nospec(fd, fdt->max_fds);
> > >         file = fdt->fd[fd];
> > >         if (!file)
> > >                 goto out_unlock;
> > > --
> > > 2.24.1
> > >
Sedat Dilek March 13, 2023, 8:34 p.m. UTC | #4 
On Thu, Apr 8, 2021 at 2:15 PM Sedat Dilek <sedat.dilek@gmail.com> wrote:
>
> On Fri, Jan 8, 2021 at 1:59 PM Sedat Dilek <sedat.dilek@gmail.com> wrote:
> >
> > On Fri, Jul 24, 2020 at 3:18 AM Sedat Dilek <sedat.dilek@gmail.com> wrote:
> > >
> > > On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
> > > >
> > > > Google-Bug-Id: 114199369
> > > > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> > >
> > > Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+
> > >
> >
> > Ping.
> >
> > What is the status of this patch?
> >
>
> Friendly ping again.
>

Finally upstreamed :-).

-Sedat-

[1] https://git.kernel.org/linus/609d54441493c99f21c1823dfd66fa7f4c512ff4

> >
> > >
> > > > ---
> > > >  fs/file.c | 1 +
> > > >  1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/fs/file.c b/fs/file.c
> > > > index abb8b7081d7a..73189eaad1df 100644
> > > > --- a/fs/file.c
> > > > +++ b/fs/file.cfs: prevent out-of-bounds array speculation when closing a file descriptor
> > > > @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
> > > >         fdt = files_fdtable(files);
> > > >         if (fd >= fdt->max_fds)
> > > >                 goto out_unlock;fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor
> > > > +       fd = array_index_nospec(fd, fdt->max_fds);
> > > >         file = fdt->fd[fd];
> > > >         if (!file)
> > > >                 goto out_unlock;
> > > > --
> > > > 2.24.1
> > > >
diff mbox series

Patch

diff --git a/fs/file.c b/fs/file.c
index abb8b7081d7a..73189eaad1df 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -632,6 +632,7 @@  int __close_fd(struct files_struct *files, unsigned fd)
 	fdt = files_fdtable(files);
 	if (fd >= fdt->max_fds)
 		goto out_unlock;
+	fd = array_index_nospec(fd, fdt->max_fds);
 	file = fdt->fd[fd];
 	if (!file)
 		goto out_unlock;