Jeff Moyer <jmoyer@xxxxxxxxxx> writes:
> Jeff Moyer <jmoyer@xxxxxxxxxx> writes:
>
>> Matthew Wilcox <willy@xxxxxxxxxxxxx> writes:
>>
>>> This custom resizing array was vulnerable to a Spectre attack (speculating
>>> off the end of an array to a user-controlled offset). The XArray is
>>> not vulnerable to Spectre as it always masks its lookups to be within
>>> the bounds of the array.
>>
>> I'm not a big fan of completely re-writing the code to fix this. Isn't
>> the below patch sufficient?
>
> Too quick on the draw. Here's a patch that compiles. ;-)
Hi, Matthew,
I'm going to submit this version formally. If you're interested in
converting the ioctx_table to xarray, you can do that separately from a
security fix. I would include a performance analysis with that patch,
though. The idea of using a radix tree for the ioctx table was
discarded due to performance reasons--see commit db446a08c23d5 ("aio:
convert the ioctx list to table lookup v3"). I suspect using the xarray
will perform similarly.
Cheers,
Jeff
> diff --git a/fs/aio.c b/fs/aio.c
> index 97f983592925..aac9659381d2 100644
> --- a/fs/aio.c
> +++ b/fs/aio.c
> @@ -45,6 +45,7 @@
>
> #include <asm/kmap_types.h>
> #include <linux/uaccess.h>
> +#include <linux/nospec.h>
>
> #include "internal.h"
>
> @@ -1038,6 +1039,7 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
> if (!table || id >= table->nr)
> goto out;
>
> + id = array_index_nospec(id, table->nr);
> ctx = rcu_dereference(table->table[id]);
> if (ctx && ctx->user_id == ctx_id) {
> if (percpu_ref_tryget_live(&ctx->users))
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-aio' in
> the body to majordomo@xxxxxxxxx. For more info on Linux AIO,
> see: http://www.kvack.org/aio/
> Don't email: <a href=mailto:"aart@xxxxxxxxx";>aart@xxxxxxxxx</a>
