@@ -11,6 +11,7 @@
#include <linux/compat.h>
#include <linux/fsinfo.h>
#include <linux/fs_parser.h>
+#include <linux/nospec.h>
#include "internal.h"
static int flags_by_mnt(int mnt_flags)
@@ -886,6 +887,8 @@ SYSCALL_DEFINE5(fsinfo,
return -EINVAL;
if (user_params.request >= FSINFO_ATTR__NR)
return -EOPNOTSUPP;
+ user_params.request = array_index_nospec(user_params.request,
+ FSINFO_ATTR__NR);
params.at_flags = user_params.at_flags;
params.request = user_params.request;
params.Nth = user_params.Nth;
user_params.request is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: fs/statfs.c:908 __do_sys_fsinfo() warn: potential spectre issue 'fsinfo_buffer_sizes' [r] Fix this by sanitizing user_params.request before using it to index fsinfo_buffer_sizes Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> --- fs/statfs.c | 3 +++ 1 file changed, 3 insertions(+)