diff mbox series

fs: prevent out-of-bounds array speculation when closing a file descriptor

Message ID 20200723185921.1847880-1-tytso@mit.edu (mailing list archive)
State New, archived
Headers show
Series fs: prevent out-of-bounds array speculation when closing a file descriptor | expand

Commit Message

Theodore Ts'o July 23, 2020, 6:59 p.m. UTC
Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 fs/file.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Sedat Dilek July 24, 2020, 1:18 a.m. UTC | #1
On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
>
> Google-Bug-Id: 114199369
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+

- Sedat -

> ---
>  fs/file.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/fs/file.c b/fs/file.c
> index abb8b7081d7a..73189eaad1df 100644
> --- a/fs/file.c
> +++ b/fs/file.c
> @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
>         fdt = files_fdtable(files);
>         if (fd >= fdt->max_fds)
>                 goto out_unlock;
> +       fd = array_index_nospec(fd, fdt->max_fds);
>         file = fdt->fd[fd];
>         if (!file)
>                 goto out_unlock;
> --
> 2.24.1
>
Sedat Dilek Jan. 8, 2021, 12:59 p.m. UTC | #2
On Fri, Jul 24, 2020 at 3:18 AM Sedat Dilek <sedat.dilek@gmail.com> wrote:
>
> On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
> >
> > Google-Bug-Id: 114199369
> > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
>
> Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+
>

Ping.

What is the status of this patch?

 - Sedat -

>
> > ---
> >  fs/file.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/fs/file.c b/fs/file.c
> > index abb8b7081d7a..73189eaad1df 100644
> > --- a/fs/file.c
> > +++ b/fs/file.cfs: prevent out-of-bounds array speculation when closing a file descriptor
> > @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
> >         fdt = files_fdtable(files);
> >         if (fd >= fdt->max_fds)
> >                 goto out_unlock;fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor
> > +       fd = array_index_nospec(fd, fdt->max_fds);
> >         file = fdt->fd[fd];
> >         if (!file)
> >                 goto out_unlock;
> > --
> > 2.24.1
> >
diff mbox series

Patch

diff --git a/fs/file.c b/fs/file.c
index abb8b7081d7a..73189eaad1df 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -632,6 +632,7 @@  int __close_fd(struct files_struct *files, unsigned fd)
 	fdt = files_fdtable(files);
 	if (fd >= fdt->max_fds)
 		goto out_unlock;
+	fd = array_index_nospec(fd, fdt->max_fds);
 	file = fdt->fd[fd];
 	if (!file)
 		goto out_unlock;