| Message ID | 20230306185450.1028235-1-tytso@mit.edu |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2016788wrd;
Mon, 6 Mar 2023 10:58:56 -0800 (PST)
X-Google-Smtp-Source:
AK7set+D826wCR1lzml9luXInkIPtYiXrtCSG2xYykrPB1sCa/gu2mhwSTY+2Z3uFlVJZl8dkIlp
X-Received: by 2002:a05:6402:682:b0:4af:593d:9ce5 with SMTP id
f2-20020a056402068200b004af593d9ce5mr10099056edy.16.1678129135972;
Mon, 06 Mar 2023 10:58:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1678129135; cv=none;
d=google.com; s=arc-20160816;
b=0E9cN64RBpIBHDCOEoq7yC4NhcHtGpEmJ6t8A1WailFWGk3PZZh/q2hJvF2slF9VxW
03A7RE5of/2dNb5SneO7lQmXLhZ5DcY+n/n3ALSZdf2XXzNvt4Luq893/dv/XDAV59VA
FuaFnN5II9MYyVGwYtwL8KGjTYp7C2XtZz0bk634Wfx7rZCn1KT9JfLUs1TVpuRf+k5V
dIOSxut46tdz/fh36uqUOYghP0Mbqc2yNbhlRmt00/yv9Kvkuj6mbyf/glwhfz58oZsQ
kNTakCIJ7pyd/UJn03p+ziBWH3PNC9CpZ7ar0chRL9cOjnd2jTyuZ9kPh456PWiexsq4
CFHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=DgMaY+QajAGrEGVRA0ZgDBNHO9jOImTkXeQduYwOks0=;
b=eyVWpoHAEgr8wacoTyLTk3qhbqsND3k4eAydwR7MCAbjNJxkWA6IjrlNzsTDKso5s5
wLsyLIfxGePzOcCC15/n/0jK14VLII3g/oypCNVsNkCtQ0mhwi+Qos/8uFwl3fePcLLD
AZa8vI0i9szm5ZnQqLxH7GEGKGaOdh/ave9zEkqcKjeM6Nl5Cgkfy6zZqyf5bkbi1nHG
93vaowyCBanmgDanAr4uCbqbXLb+JlOMooKiqGLrT5eJZ6xdP9pLdX1WuQAAfLiep4g/
73IQhZH+KX6dGnZQNN/4NchEoBWcy2v0GLVspZ4KsOMlc86ifMfqOvjgCpKNTpAiMudt
izNg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=fail header.i=@mit.edu header.s=outgoing header.b=Sw6r+Y+G;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
q24-20020a1709060e5800b008e32f818fbbsi10425680eji.771.2023.03.06.10.58.31;
Mon, 06 Mar 2023 10:58:55 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=fail header.i=@mit.edu header.s=outgoing header.b=Sw6r+Y+G;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230212AbjCFS5d (ORCPT <rfc822;toshivichauhan@gmail.com>
+ 99 others); Mon, 6 Mar 2023 13:57:33 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60170 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230091AbjCFS5O (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 6 Mar 2023 13:57:14 -0500
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F79FC168
for <linux-kernel@vger.kernel.org>;
Mon, 6 Mar 2023 10:56:07 -0800 (PST)
Received: from cwcc.thunk.org (pool-173-48-120-46.bstnma.fios.verizon.net
[173.48.120.46])
(authenticated bits=0)
(User authenticated as tytso@ATHENA.MIT.EDU)
by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 326IsxMr023437
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Mon, 6 Mar 2023 13:55:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1678128903; bh=DgMaY+QajAGrEGVRA0ZgDBNHO9jOImTkXeQduYwOks0=;
h=From:To:Cc:Subject:Date;
b=Sw6r+Y+GM4K4n9ahRMRXmuYlywDYglrfeSRn7nzFmpRSt9uKJCh5LEgkmRIcWmUuw
mb4auqmyFlTYzOVR/Dg0TkpQZtX4J75wbLyvoddbd2zE9oATcxgV9la9PKTiyBrEkv
QrBhudODNp3COfdbUxL35yleBCUUjfbKHnaGiVzfUvylUYNQFkAEl5PdMEpHA1UzPJ
L8qRw6HInloW7oNsRP/V6mLgjz9zFOZlKedUvySp2unheq9SWcwGoiof6iHWWBgHj1
10lkwuqFS9VYLCmm12cfgJECmDkopByfPX3/IYb20fe6IOaGigVHTBkWsY3AtvkaZA
KPVIkCQvcD5Sg==
Received: by cwcc.thunk.org (Postfix, from userid 15806)
id A296B15C3441; Mon, 6 Mar 2023 13:54:59 -0500 (EST)
From: "Theodore Ts'o" <tytso@mit.edu>
To: Linux Kernel Developers List <linux-kernel@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Subject: [PATCH] fs: prevent out-of-bounds array speculation when closing a
file descriptor
Date: Mon, 6 Mar 2023 13:54:50 -0500
Message-Id: <20230306185450.1028235-1-tytso@mit.edu>
X-Mailer: git-send-email 2.31.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_INVALID,
DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1759645936532279877?=
X-GMAIL-MSGID: =?utf-8?q?1759645936532279877?=
|
| Series |
fs: prevent out-of-bounds array speculation when closing a file descriptor
|
|
Commit Message
Theodore Ts'o
March 6, 2023, 6:54 p.m. UTC
Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
I had sent this a while back, and failed to follow up when it
apparently get missed. $WORK has been carrying this (or the
equivalent) as an out-of-tree security patch since 2018, and now some
folks are now nagging me about why hasn't this gone upstream yet...
fs/file.c | 1 +
1 file changed, 1 insertion(+)
Comments
On Mon, Mar 06, 2023 at 01:54:50PM -0500, Theodore Ts'o wrote: > Google-Bug-Id: 114199369 > Signed-off-by: Theodore Ts'o <tytso@mit.edu> > --- > > I had sent this a while back, and failed to follow up when it > apparently get missed. $WORK has been carrying this (or the > equivalent) as an out-of-tree security patch since 2018, and now some > folks are now nagging me about why hasn't this gone upstream yet... Applied (#fixes), will go to Linus this weekend.
diff --git a/fs/file.c b/fs/file.c index c942c89ca4cd..7893ea161d77 100644 --- a/fs/file.c +++ b/fs/file.c @@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd) if (fd >= fdt->max_fds) return NULL; + fd = array_index_nospec(fd, fdt->max_fds); file = fdt->fd[fd]; if (file) { rcu_assign_pointer(fdt->fd[fd], NULL);