Patch "vfs, fdtable: Prevent bounds-check bypass via speculative execution" has been added to the 4.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    vfs, fdtable: Prevent bounds-check bypass via speculative execution

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Fri Feb 23 17:23:58 CET 2018
From: Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx>
Date: Fri, 23 Feb 2018 11:42:05 +0100
Subject: vfs, fdtable: Prevent bounds-check bypass via speculative execution
To: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx
Cc: Dan Williams <dan.j.williams@xxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, linux-arch@xxxxxxxxxxxxxxx, kernel-hardening@xxxxxxxxxxxxxxxxxx, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, torvalds@xxxxxxxxxxxxxxxxxxxx, alan@xxxxxxxxxxxxxxx, David Woodhouse <dwmw@xxxxxxxxxxxx>, Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx>
Message-ID: <1519382538-15143-17-git-send-email-jinpu.wangl@xxxxxxxxxxxxxxxx>

From: Dan Williams <dan.j.williams@xxxxxxxxx>

(cherry picked from commit 56c30ba7b348b90484969054d561f711ba196507)

'fd' is a user controlled value that is used as a data dependency to
read from the 'fdt->fd' array.  In order to avoid potential leaks of
kernel memory values, block speculative execution of the instruction
stream that could issue reads based on an invalid 'file *' returned from
__fcheck_files.

Co-developed-by: Elena Reshetova <elena.reshetova@xxxxxxxxx>
Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: linux-arch@xxxxxxxxxxxxxxx
Cc: kernel-hardening@xxxxxxxxxxxxxxxxxx
Cc: gregkh@xxxxxxxxxxxxxxxxxxx
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: torvalds@xxxxxxxxxxxxxxxxxxxx
Cc: alan@xxxxxxxxxxxxxxx
Link: https://lkml.kernel.org/r/151727418500.33451.17392199002892248656.stgit@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: David Woodhouse <dwmw@xxxxxxxxxxxx>
[jwang: cherry pick to 4.4]
Signed-off-by: Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 include/linux/fdtable.h |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/include/linux/fdtable.h
+++ b/include/linux/fdtable.h
@@ -9,6 +9,7 @@
 #include <linux/compiler.h>
 #include <linux/spinlock.h>
 #include <linux/rcupdate.h>
+#include <linux/nospec.h>
 #include <linux/types.h>
 #include <linux/init.h>
 #include <linux/fs.h>
@@ -81,8 +82,10 @@ static inline struct file *__fcheck_file
 {
 	struct fdtable *fdt = rcu_dereference_raw(files->fdt);
 
-	if (fd < fdt->max_fds)
+	if (fd < fdt->max_fds) {
+		fd = array_index_nospec(fd, fdt->max_fds);
 		return rcu_dereference_raw(fdt->fd[fd]);
+	}
 	return NULL;
 }
 


Patches currently in stable-queue which might be from jinpu.wang@xxxxxxxxxxxxxxxx are

queue-4.4/x86-paravirt-remove-noreplace-paravirt-cmdline-option.patch
queue-4.4/documentation-document-array_index_nospec.patch
queue-4.4/kvm-x86-make-indirect-calls-in-emulator-speculation-safe.patch
queue-4.4/x86-nospec-fix-header-guards-names.patch
queue-4.4/x86-retpoline-avoid-retpolines-for-built-in-__init-functions.patch
queue-4.4/vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch
queue-4.4/kvm-nvmx-invvpid-handling-improvements.patch
queue-4.4/x86-cpu-bugs-make-retpoline-module-warning-conditional.patch
queue-4.4/x86-spectre-check-config_retpoline-in-command-line-parser.patch
queue-4.4/x86-implement-array_index_mask_nospec.patch
queue-4.4/array_index_nospec-sanitize-speculative-array-de-references.patch
queue-4.4/kvm-vmx-make-indirect-call-speculation-safe.patch
queue-4.4/x86-spectre-fix-spelling-mistake-vunerable-vulnerable.patch
queue-4.4/kvm-nvmx-fix-kernel-panics-induced-by-illegal-invept-invvpid-types.patch
queue-4.4/module-retpoline-warn-about-missing-retpoline-in-module.patch
queue-4.4/x86-kvm-update-spectre-v1-mitigation.patch
queue-4.4/x86-get_user-use-pointer-masking-to-limit-speculation.patch
queue-4.4/x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch
queue-4.4/kvm-nvmx-vmx_complete_nested_posted_interrupt-can-t-fail.patch
queue-4.4/x86-spectre-simplify-spectre_v2-command-line-parsing.patch
queue-4.4/x86-speculation-fix-typo-ibrs_att-which-should-be-ibrs_all.patch
queue-4.4/x86-spectre-report-get_user-mitigation-for-spectre_v1.patch
queue-4.4/x86-introduce-barrier_nospec.patch
queue-4.4/kvm-async_pf-fix-df-due-to-inject-page-not-present-and-page-ready-exceptions-simultaneously.patch
queue-4.4/kvm-vmx-clean-up-declaration-of-vpid-ept-invalidation-types.patch
queue-4.4/x86-bugs-drop-one-mitigation-from-dmesg.patch
queue-4.4/x86-retpoline-remove-the-esp-rsp-thunk.patch
queue-4.4/nl80211-sanitize-array-index-in-parse_txq_params.patch
queue-4.4/kvm-nvmx-kmap-can-t-fail.patch
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]