user_params.request is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: fs/statfs.c:908 __do_sys_fsinfo() warn: potential spectre issue 'fsinfo_buffer_sizes' [r] Fix this by sanitizing user_params.request before using it to index fsinfo_buffer_sizes Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx> --- fs/statfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/statfs.c b/fs/statfs.c index f714f05..d74a60a 100644 --- a/fs/statfs.c +++ b/fs/statfs.c @@ -11,6 +11,7 @@ #include <linux/compat.h> #include <linux/fsinfo.h> #include <linux/fs_parser.h> +#include <linux/nospec.h> #include "internal.h" static int flags_by_mnt(int mnt_flags) @@ -886,6 +887,8 @@ SYSCALL_DEFINE5(fsinfo, return -EINVAL; if (user_params.request >= FSINFO_ATTR__NR) return -EOPNOTSUPP; + user_params.request = array_index_nospec(user_params.request, + FSINFO_ATTR__NR); params.at_flags = user_params.at_flags; params.request = user_params.request; params.Nth = user_params.Nth; -- 2.7.4
