* [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor
@ 2020-07-23 18:59 Theodore Ts'o
2020-07-24 1:18 ` Sedat Dilek
0 siblings, 1 reply; 7+ messages in thread
From: Theodore Ts'o @ 2020-07-23 18:59 UTC (permalink / raw)
To: viro; +Cc: Linux Filesystem Development List, Theodore Ts'o
Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
fs/file.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/file.c b/fs/file.c
index abb8b7081d7a..73189eaad1df 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
fdt = files_fdtable(files);
if (fd >= fdt->max_fds)
goto out_unlock;
+ fd = array_index_nospec(fd, fdt->max_fds);
file = fdt->fd[fd];
if (!file)
goto out_unlock;
--
2.24.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor
2020-07-23 18:59 [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor Theodore Ts'o
@ 2020-07-24 1:18 ` Sedat Dilek
2021-01-08 12:59 ` Sedat Dilek
0 siblings, 1 reply; 7+ messages in thread
From: Sedat Dilek @ 2020-07-24 1:18 UTC (permalink / raw)
To: Theodore Ts'o; +Cc: viro, Linux Filesystem Development List
On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
>
> Google-Bug-Id: 114199369
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+
- Sedat -
> ---
> fs/file.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/file.c b/fs/file.c
> index abb8b7081d7a..73189eaad1df 100644
> --- a/fs/file.c
> +++ b/fs/file.c
> @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
> fdt = files_fdtable(files);
> if (fd >= fdt->max_fds)
> goto out_unlock;
> + fd = array_index_nospec(fd, fdt->max_fds);
> file = fdt->fd[fd];
> if (!file)
> goto out_unlock;
> --
> 2.24.1
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor
2020-07-24 1:18 ` Sedat Dilek
@ 2021-01-08 12:59 ` Sedat Dilek
2021-04-08 12:15 ` Sedat Dilek
0 siblings, 1 reply; 7+ messages in thread
From: Sedat Dilek @ 2021-01-08 12:59 UTC (permalink / raw)
To: Theodore Ts'o; +Cc: viro, Linux Filesystem Development List
On Fri, Jul 24, 2020 at 3:18 AM Sedat Dilek <sedat.dilek@gmail.com> wrote:
>
> On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
> >
> > Google-Bug-Id: 114199369
> > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
>
> Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+
>
Ping.
What is the status of this patch?
- Sedat -
>
> > ---
> > fs/file.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/fs/file.c b/fs/file.c
> > index abb8b7081d7a..73189eaad1df 100644
> > --- a/fs/file.c
> > +++ b/fs/file.cfs: prevent out-of-bounds array speculation when closing a file descriptor
> > @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
> > fdt = files_fdtable(files);
> > if (fd >= fdt->max_fds)
> > goto out_unlock;fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor
> > + fd = array_index_nospec(fd, fdt->max_fds);
> > file = fdt->fd[fd];
> > if (!file)
> > goto out_unlock;
> > --
> > 2.24.1
> >
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor
2021-01-08 12:59 ` Sedat Dilek
@ 2021-04-08 12:15 ` Sedat Dilek
2023-03-13 20:34 ` Sedat Dilek
0 siblings, 1 reply; 7+ messages in thread
From: Sedat Dilek @ 2021-04-08 12:15 UTC (permalink / raw)
To: Theodore Ts'o; +Cc: viro, Linux Filesystem Development List
On Fri, Jan 8, 2021 at 1:59 PM Sedat Dilek <sedat.dilek@gmail.com> wrote:
>
> On Fri, Jul 24, 2020 at 3:18 AM Sedat Dilek <sedat.dilek@gmail.com> wrote:
> >
> > On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
> > >
> > > Google-Bug-Id: 114199369
> > > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> >
> > Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+
> >
>
> Ping.
>
> What is the status of this patch?
>
Friendly ping again.
- Sedat -
>
> >
> > > ---
> > > fs/file.c | 1 +
> > > 1 file changed, 1 insertion(+)
> > >
> > > diff --git a/fs/file.c b/fs/file.c
> > > index abb8b7081d7a..73189eaad1df 100644
> > > --- a/fs/file.c
> > > +++ b/fs/file.cfs: prevent out-of-bounds array speculation when closing a file descriptor
> > > @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
> > > fdt = files_fdtable(files);
> > > if (fd >= fdt->max_fds)
> > > goto out_unlock;fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor
> > > + fd = array_index_nospec(fd, fdt->max_fds);
> > > file = fdt->fd[fd];
> > > if (!file)
> > > goto out_unlock;
> > > --
> > > 2.24.1
> > >
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor
2021-04-08 12:15 ` Sedat Dilek
@ 2023-03-13 20:34 ` Sedat Dilek
0 siblings, 0 replies; 7+ messages in thread
From: Sedat Dilek @ 2023-03-13 20:34 UTC (permalink / raw)
To: Theodore Ts'o; +Cc: viro, Linux Filesystem Development List
On Thu, Apr 8, 2021 at 2:15 PM Sedat Dilek <sedat.dilek@gmail.com> wrote:
>
> On Fri, Jan 8, 2021 at 1:59 PM Sedat Dilek <sedat.dilek@gmail.com> wrote:
> >
> > On Fri, Jul 24, 2020 at 3:18 AM Sedat Dilek <sedat.dilek@gmail.com> wrote:
> > >
> > > On Thu, Jul 23, 2020 at 9:02 PM Theodore Ts'o <tytso@mit.edu> wrote:
> > > >
> > > > Google-Bug-Id: 114199369
> > > > Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> > >
> > > Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.8-rc6+
> > >
> >
> > Ping.
> >
> > What is the status of this patch?
> >
>
> Friendly ping again.
>
Finally upstreamed :-).
-Sedat-
[1] https://git.kernel.org/linus/609d54441493c99f21c1823dfd66fa7f4c512ff4
> >
> > >
> > > > ---
> > > > fs/file.c | 1 +
> > > > 1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/fs/file.c b/fs/file.c
> > > > index abb8b7081d7a..73189eaad1df 100644
> > > > --- a/fs/file.c
> > > > +++ b/fs/file.cfs: prevent out-of-bounds array speculation when closing a file descriptor
> > > > @@ -632,6 +632,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
> > > > fdt = files_fdtable(files);
> > > > if (fd >= fdt->max_fds)
> > > > goto out_unlock;fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor fs: prevent out-of-bounds array speculation when closing a file descriptor
> > > > + fd = array_index_nospec(fd, fdt->max_fds);
> > > > file = fdt->fd[fd];
> > > > if (!file)
> > > > goto out_unlock;
> > > > --
> > > > 2.24.1
> > > >
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor
2023-03-06 18:54 Theodore Ts'o
@ 2023-03-10 3:47 ` Al Viro
0 siblings, 0 replies; 7+ messages in thread
From: Al Viro @ 2023-03-10 3:47 UTC (permalink / raw)
To: Theodore Ts'o; +Cc: Linux Kernel Developers List, Andrew Morton
On Mon, Mar 06, 2023 at 01:54:50PM -0500, Theodore Ts'o wrote:
> Google-Bug-Id: 114199369
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> ---
>
> I had sent this a while back, and failed to follow up when it
> apparently get missed. $WORK has been carrying this (or the
> equivalent) as an out-of-tree security patch since 2018, and now some
> folks are now nagging me about why hasn't this gone upstream yet...
Applied (#fixes), will go to Linus this weekend.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor
@ 2023-03-06 18:54 Theodore Ts'o
2023-03-10 3:47 ` Al Viro
0 siblings, 1 reply; 7+ messages in thread
From: Theodore Ts'o @ 2023-03-06 18:54 UTC (permalink / raw)
To: Linux Kernel Developers List, Al Viro, Andrew Morton; +Cc: Theodore Ts'o
Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
I had sent this a while back, and failed to follow up when it
apparently get missed. $WORK has been carrying this (or the
equivalent) as an out-of-tree security patch since 2018, and now some
folks are now nagging me about why hasn't this gone upstream yet...
fs/file.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/file.c b/fs/file.c
index c942c89ca4cd..7893ea161d77 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
if (fd >= fdt->max_fds)
return NULL;
+ fd = array_index_nospec(fd, fdt->max_fds);
file = fdt->fd[fd];
if (file) {
rcu_assign_pointer(fdt->fd[fd], NULL);
--
2.31.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-03-13 20:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-23 18:59 [PATCH] fs: prevent out-of-bounds array speculation when closing a file descriptor Theodore Ts'o
2020-07-24 1:18 ` Sedat Dilek
2021-01-08 12:59 ` Sedat Dilek
2021-04-08 12:15 ` Sedat Dilek
2023-03-13 20:34 ` Sedat Dilek
2023-03-06 18:54 Theodore Ts'o
2023-03-10 3:47 ` Al Viro
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.