projects
/
linux.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
17f2fe3
)
io_uring: protect fixed file indexing with array_index_nospec()
author
Jens Axboe
<axboe@kernel.dk>
Sat, 26 Oct 2019 13:22:55 +0000
(07:22 -0600)
committer
Jens Axboe
<axboe@kernel.dk>
Tue, 29 Oct 2019 18:43:06 +0000
(12:43 -0600)
We index the file tables with a user given value. After we check
it's within our limits, use array_index_nospec() to prevent any
spectre attacks here.
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
fs/io_uring.c
patch
|
blob
|
history
diff --git
a/fs/io_uring.c
b/fs/io_uring.c
index b668149c20b9a5dcd30a0ee4024e726d0c17d146..7743b180a3e0a0a206a39840d3d5e2ea726a500a 100644
(file)
--- a/
fs/io_uring.c
+++ b/
fs/io_uring.c
@@
-2321,6
+2321,7
@@
static int io_req_set_file(struct io_ring_ctx *ctx, const struct sqe_submit *s,
if (unlikely(!ctx->user_files ||
(unsigned) fd >= ctx->nr_user_files))
return -EBADF;
+ fd = array_index_nospec(fd, ctx->nr_user_files);
if (!ctx->user_files[fd])
return -EBADF;
req->file = ctx->user_files[fd];
projects / linux.git / commitdiff