On Fri, Jul 27, 2018 at 04:23:55PM +0000, Jeremy Cline wrote: > 'type' is a user-controlled value used to index into 's_qf_names', which > can be used in a Spectre v1 attack. Clamp 'type' to the size of the > array to avoid a speculative out-of-bounds read. > > Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Jeremy Cline <jcline@xxxxxxxxxx> > --- > fs/ext4/super.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/ext4/super.c b/fs/ext4/super.c > index 6480e763080f..c04a09b51742 100644 > --- a/fs/ext4/super.c > +++ b/fs/ext4/super.c > @@ -40,6 +40,7 @@ > #include <linux/crc16.h> > #include <linux/dax.h> > #include <linux/cleancache.h> > +#include <linux/nospec.h> > #include <linux/uaccess.h> > #include <linux/iversion.h> > > @@ -5559,6 +5560,7 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, > if (path->dentry->d_sb != sb) > return -EXDEV; > /* Journaling quota? */ > + type = array_index_nospec(type, EXT4_MAXQUOTAS); > if (EXT4_SB(sb)->s_qf_names[type]) { > /* Quotafile not in fs root? */ > if (path->dentry->d_parent != sb->s_root) Generally we try to put the array_index_nospec() close to the bounds check for which it's trying to prevent speculation past. In this case, I'd expect the EXT4_MAXQUOTAS bounds check to be in do_quotactl(), but it seems to be missing: if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS)) return -EINVAL; Also it looks like XQM_MAXQUOTAS, MAXQUOTAS, and EXT4_MAXQUOTAS all have the same value (3). Maybe they can be consolidated to just use MAXQUOTAS everywhere? Then the nospec would be simple: if (type >= MAXQUOTAS) return -EINVAL; type = array_index_nospec(type, MAXQUOTAS); Otherwise I think we may need to disperse the array_index_nospec calls deeper in the callchain. -- Josh