From patchwork Mon Mar 6 18:54:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Theodore Ts'o X-Patchwork-Id: 65068 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2016788wrd; Mon, 6 Mar 2023 10:58:56 -0800 (PST) X-Google-Smtp-Source: AK7set+D826wCR1lzml9luXInkIPtYiXrtCSG2xYykrPB1sCa/gu2mhwSTY+2Z3uFlVJZl8dkIlp X-Received: by 2002:a05:6402:682:b0:4af:593d:9ce5 with SMTP id f2-20020a056402068200b004af593d9ce5mr10099056edy.16.1678129135972; Mon, 06 Mar 2023 10:58:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678129135; cv=none; d=google.com; s=arc-20160816; b=0E9cN64RBpIBHDCOEoq7yC4NhcHtGpEmJ6t8A1WailFWGk3PZZh/q2hJvF2slF9VxW 03A7RE5of/2dNb5SneO7lQmXLhZ5DcY+n/n3ALSZdf2XXzNvt4Luq893/dv/XDAV59VA FuaFnN5II9MYyVGwYtwL8KGjTYp7C2XtZz0bk634Wfx7rZCn1KT9JfLUs1TVpuRf+k5V dIOSxut46tdz/fh36uqUOYghP0Mbqc2yNbhlRmt00/yv9Kvkuj6mbyf/glwhfz58oZsQ kNTakCIJ7pyd/UJn03p+ziBWH3PNC9CpZ7ar0chRL9cOjnd2jTyuZ9kPh456PWiexsq4 CFHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=DgMaY+QajAGrEGVRA0ZgDBNHO9jOImTkXeQduYwOks0=; b=eyVWpoHAEgr8wacoTyLTk3qhbqsND3k4eAydwR7MCAbjNJxkWA6IjrlNzsTDKso5s5 wLsyLIfxGePzOcCC15/n/0jK14VLII3g/oypCNVsNkCtQ0mhwi+Qos/8uFwl3fePcLLD AZa8vI0i9szm5ZnQqLxH7GEGKGaOdh/ave9zEkqcKjeM6Nl5Cgkfy6zZqyf5bkbi1nHG 93vaowyCBanmgDanAr4uCbqbXLb+JlOMooKiqGLrT5eJZ6xdP9pLdX1WuQAAfLiep4g/ 73IQhZH+KX6dGnZQNN/4NchEoBWcy2v0GLVspZ4KsOMlc86ifMfqOvjgCpKNTpAiMudt izNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=Sw6r+Y+G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q24-20020a1709060e5800b008e32f818fbbsi10425680eji.771.2023.03.06.10.58.31; Mon, 06 Mar 2023 10:58:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=Sw6r+Y+G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230212AbjCFS5d (ORCPT + 99 others); Mon, 6 Mar 2023 13:57:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60170 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230091AbjCFS5O (ORCPT ); Mon, 6 Mar 2023 13:57:14 -0500 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F79FC168 for ; Mon, 6 Mar 2023 10:56:07 -0800 (PST) Received: from cwcc.thunk.org (pool-173-48-120-46.bstnma.fios.verizon.net [173.48.120.46]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 326IsxMr023437 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 6 Mar 2023 13:55:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1678128903; bh=DgMaY+QajAGrEGVRA0ZgDBNHO9jOImTkXeQduYwOks0=; h=From:To:Cc:Subject:Date; b=Sw6r+Y+GM4K4n9ahRMRXmuYlywDYglrfeSRn7nzFmpRSt9uKJCh5LEgkmRIcWmUuw mb4auqmyFlTYzOVR/Dg0TkpQZtX4J75wbLyvoddbd2zE9oATcxgV9la9PKTiyBrEkv QrBhudODNp3COfdbUxL35yleBCUUjfbKHnaGiVzfUvylUYNQFkAEl5PdMEpHA1UzPJ L8qRw6HInloW7oNsRP/V6mLgjz9zFOZlKedUvySp2unheq9SWcwGoiof6iHWWBgHj1 10lkwuqFS9VYLCmm12cfgJECmDkopByfPX3/IYb20fe6IOaGigVHTBkWsY3AtvkaZA KPVIkCQvcD5Sg== Received: by cwcc.thunk.org (Postfix, from userid 15806) id A296B15C3441; Mon, 6 Mar 2023 13:54:59 -0500 (EST) From: "Theodore Ts'o" To: Linux Kernel Developers List , Al Viro , Andrew Morton Cc: "Theodore Ts'o" Subject: [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor Date: Mon, 6 Mar 2023 13:54:50 -0500 Message-Id: <20230306185450.1028235-1-tytso@mit.edu> X-Mailer: git-send-email 2.31.0 MIME-Version: 1.0 X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759645936532279877?= X-GMAIL-MSGID: =?utf-8?q?1759645936532279877?= Google-Bug-Id: 114199369 Signed-off-by: Theodore Ts'o --- I had sent this a while back, and failed to follow up when it apparently get missed. $WORK has been carrying this (or the equivalent) as an out-of-tree security patch since 2018, and now some folks are now nagging me about why hasn't this gone upstream yet... fs/file.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/file.c b/fs/file.c index c942c89ca4cd..7893ea161d77 100644 --- a/fs/file.c +++ b/fs/file.c @@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd) if (fd >= fdt->max_fds) return NULL; + fd = array_index_nospec(fd, fdt->max_fds); file = fdt->fd[fd]; if (file) { rcu_assign_pointer(fdt->fd[fd], NULL);