This is a note to let you know that I've just added the patch titled vfs, fdtable: Prevent bounds-check bypass via speculative execution to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Fri Feb 23 17:23:58 CET 2018 From: Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx> Date: Fri, 23 Feb 2018 11:42:05 +0100 Subject: vfs, fdtable: Prevent bounds-check bypass via speculative execution To: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx Cc: Dan Williams <dan.j.williams@xxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, linux-arch@xxxxxxxxxxxxxxx, kernel-hardening@xxxxxxxxxxxxxxxxxx, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, torvalds@xxxxxxxxxxxxxxxxxxxx, alan@xxxxxxxxxxxxxxx, David Woodhouse <dwmw@xxxxxxxxxxxx>, Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx> Message-ID: <1519382538-15143-17-git-send-email-jinpu.wangl@xxxxxxxxxxxxxxxx> From: Dan Williams <dan.j.williams@xxxxxxxxx> (cherry picked from commit 56c30ba7b348b90484969054d561f711ba196507) 'fd' is a user controlled value that is used as a data dependency to read from the 'fdt->fd' array. In order to avoid potential leaks of kernel memory values, block speculative execution of the instruction stream that could issue reads based on an invalid 'file *' returned from __fcheck_files. Co-developed-by: Elena Reshetova <elena.reshetova@xxxxxxxxx> Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx> Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Cc: linux-arch@xxxxxxxxxxxxxxx Cc: kernel-hardening@xxxxxxxxxxxxxxxxxx Cc: gregkh@xxxxxxxxxxxxxxxxxxx Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Cc: torvalds@xxxxxxxxxxxxxxxxxxxx Cc: alan@xxxxxxxxxxxxxxx Link: https://lkml.kernel.org/r/151727418500.33451.17392199002892248656.stgit@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: David Woodhouse <dwmw@xxxxxxxxxxxx> [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- include/linux/fdtable.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/include/linux/fdtable.h +++ b/include/linux/fdtable.h @@ -9,6 +9,7 @@ #include <linux/compiler.h> #include <linux/spinlock.h> #include <linux/rcupdate.h> +#include <linux/nospec.h> #include <linux/types.h> #include <linux/init.h> #include <linux/fs.h> @@ -81,8 +82,10 @@ static inline struct file *__fcheck_file { struct fdtable *fdt = rcu_dereference_raw(files->fdt); - if (fd < fdt->max_fds) + if (fd < fdt->max_fds) { + fd = array_index_nospec(fd, fdt->max_fds); return rcu_dereference_raw(fdt->fd[fd]); + } return NULL; } Patches currently in stable-queue which might be from jinpu.wang@xxxxxxxxxxxxxxxx are queue-4.4/x86-paravirt-remove-noreplace-paravirt-cmdline-option.patch queue-4.4/documentation-document-array_index_nospec.patch queue-4.4/kvm-x86-make-indirect-calls-in-emulator-speculation-safe.patch queue-4.4/x86-nospec-fix-header-guards-names.patch queue-4.4/x86-retpoline-avoid-retpolines-for-built-in-__init-functions.patch queue-4.4/vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch queue-4.4/kvm-nvmx-invvpid-handling-improvements.patch queue-4.4/x86-cpu-bugs-make-retpoline-module-warning-conditional.patch queue-4.4/x86-spectre-check-config_retpoline-in-command-line-parser.patch queue-4.4/x86-implement-array_index_mask_nospec.patch queue-4.4/array_index_nospec-sanitize-speculative-array-de-references.patch queue-4.4/kvm-vmx-make-indirect-call-speculation-safe.patch queue-4.4/x86-spectre-fix-spelling-mistake-vunerable-vulnerable.patch queue-4.4/kvm-nvmx-fix-kernel-panics-induced-by-illegal-invept-invvpid-types.patch queue-4.4/module-retpoline-warn-about-missing-retpoline-in-module.patch queue-4.4/x86-kvm-update-spectre-v1-mitigation.patch queue-4.4/x86-get_user-use-pointer-masking-to-limit-speculation.patch queue-4.4/x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch queue-4.4/kvm-nvmx-vmx_complete_nested_posted_interrupt-can-t-fail.patch queue-4.4/x86-spectre-simplify-spectre_v2-command-line-parsing.patch queue-4.4/x86-speculation-fix-typo-ibrs_att-which-should-be-ibrs_all.patch queue-4.4/x86-spectre-report-get_user-mitigation-for-spectre_v1.patch queue-4.4/x86-introduce-barrier_nospec.patch queue-4.4/kvm-async_pf-fix-df-due-to-inject-page-not-present-and-page-ready-exceptions-simultaneously.patch queue-4.4/kvm-vmx-clean-up-declaration-of-vpid-ept-invalidation-types.patch queue-4.4/x86-bugs-drop-one-mitigation-from-dmesg.patch queue-4.4/x86-retpoline-remove-the-esp-rsp-thunk.patch queue-4.4/nl80211-sanitize-array-index-in-parse_txq_params.patch queue-4.4/kvm-nvmx-kmap-can-t-fail.patch