On Wed, May 29, 2019 at 08:37:28PM +0800, Dianzhang Chen wrote:
> The `size` in kmalloc_slab() is indirectly controlled by userspace via syscall: poll(defined in fs/select.c), hence leading to a potential exploitation of the Spectre variant 1 vulnerability.
> The `size` can be controlled from: poll -> do_sys_poll -> kmalloc -> __kmalloc -> kmalloc_slab.
>
> Fix this by sanitizing `size` before using it to index size_index.
I think it makes more sense to sanitize size in size_index_elem(),
don't you?
static inline unsigned int size_index_elem(unsigned int bytes)
{
- return (bytes - 1) / 8;
+ return array_index_nospec((bytes - 1) / 8, ARRAY_SIZE(size_index));
}
(untested)
