| Message ID | be03c863-4415-6fcb-2139-86efd680ea50@kernel.dk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | io_uring: protect fixed file indexing with array_index_nospec() | expand |
diff --git a/fs/io_uring.c b/fs/io_uring.c index 4402485f0879..769a8c7eee37 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2320,6 +2320,7 @@ static int io_req_set_file(struct io_ring_ctx *ctx, const struct sqe_submit *s, if (unlikely(!ctx->user_files || (unsigned) fd >= ctx->nr_user_files)) return -EBADF; + fd = array_index_nospec(fd, ctx->nr_user_files); if (!ctx->user_files[fd]) return -EBADF; req->file = ctx->user_files[fd];
We index the file tables with a user given value. After we check it's within our limits, use array_index_nospec() to prevent any spectre attacks here. Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> ---