userns: prevent speculative execution

From: Elena Reshetova <elena.reshetova@intel.com>

Since the pos value in function m_start()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
map->extent, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 4109f8320684a81af4cd9d0c7262f83812c300f2..5547cfa71b51345265961b8bf03634683be9c420 100644 (file)
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -495,8 +495,10 @@ static void *m_start(struct seq_file *seq, loff_t *ppos,
        struct uid_gid_extent *extent = NULL;
        loff_t pos = *ppos;
 
-       if (pos < map->nr_extents)
+       if (pos < map->nr_extents) {
+               osb();
                extent = &map->extent[pos];
+       }
 
        return extent;
 }