fs: prevent out-of-bounds array speculation when closing a file descriptor

author Theodore Ts'o <tytso@mit.edu>

Mon, 6 Mar 2023 18:54:50 +0000 (13:54 -0500)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fri, 17 Mar 2023 07:48:47 +0000 (08:48 +0100)
author Theodore Ts'o <tytso@mit.edu>
Mon, 6 Mar 2023 18:54:50 +0000 (13:54 -0500)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 17 Mar 2023 07:48:47 +0000 (08:48 +0100)
diff --git a/fs/file.c b/fs/file.c

index 214364e19d76f45b87509eb945a93d759fab8570..ee1c350ec58a2cb458c6c40057df85a292d36dd2 100644 (file)
--- a/fs/file.c
+++ b/fs/file.c
@@ -646,6 +646,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
                 file = ERR_PTR(-EINVAL);
                 goto out_unlock;
         }
+       fd = array_index_nospec(fd, fdt->max_fds);
         file = fdt->fd[fd];
         if (!file) {
                 file = ERR_PTR(-EBADF);
author	Theodore Ts'o <tytso@mit.edu>
	Mon, 6 Mar 2023 18:54:50 +0000 (13:54 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 17 Mar 2023 07:48:47 +0000 (08:48 +0100)