From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 15 Aug 2018 08:36:08 -0500 From: "Gustavo A. R. Silva" To: Alexander Viro Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" Subject: [PATCH] statfs: fix potential Spectre v1 Message-ID: <20180815133608.GA27979@embeddedor.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: user_params.request is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: fs/statfs.c:908 __do_sys_fsinfo() warn: potential spectre issue 'fsinfo_buffer_sizes' [r] Fix this by sanitizing user_params.request before using it to index fsinfo_buffer_sizes Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva --- fs/statfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/statfs.c b/fs/statfs.c index f714f05..d74a60a 100644 --- a/fs/statfs.c +++ b/fs/statfs.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "internal.h" static int flags_by_mnt(int mnt_flags) @@ -886,6 +887,8 @@ SYSCALL_DEFINE5(fsinfo, return -EINVAL; if (user_params.request >= FSINFO_ATTR__NR) return -EOPNOTSUPP; + user_params.request = array_index_nospec(user_params.request, + FSINFO_ATTR__NR); params.at_flags = user_params.at_flags; params.request = user_params.request; params.Nth = user_params.Nth; -- 2.7.4