[PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor

From: Theodore Ts'o
Date: Mon Mar 06 2023 - 13:57:35 EST

Next message: Li, Xin3: "RE: [PATCH v4 34/34] KVM: x86/vmx: execute "int $2" for NMI reinjection when FRED is enabled"
Previous message: Sam Protsenko: "Re: [PATCH v2 0/6] clk: samsung: exynos850: Add missing clocks for PM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@xxxxxxx>
---

I had sent this a while back, and failed to follow up when it
apparently get missed. $WORK has been carrying this (or the
equivalent) as an out-of-tree security patch since 2018, and now some
folks are now nagging me about why hasn't this gone upstream yet...

fs/file.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/fs/file.c b/fs/file.c
index c942c89ca4cd..7893ea161d77 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
if (fd >= fdt->max_fds)
return NULL;

+ fd = array_index_nospec(fd, fdt->max_fds);
file = fdt->fd[fd];
if (file) {
rcu_assign_pointer(fdt->fd[fd], NULL);
--
2.31.0

Next message: Li, Xin3: "RE: [PATCH v4 34/34] KVM: x86/vmx: execute "int $2" for NMI reinjection when FRED is enabled"
Previous message: Sam Protsenko: "Re: [PATCH v2 0/6] clk: samsung: exynos850: Add missing clocks for PM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]