fs: prevent speculative execution

Since the fd value in function __fcheck_files()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
fdt->fd, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
index 230f87bdf5ad02008ff622e65bc761e41d4b22e0..9b6d58225d4ce9efae8ee8c28b8b969b8270f2ed 100644 (file)
--- a/include/linux/fdtable.h
+++ b/include/linux/fdtable.h
@@ -76,8 +76,10 @@ static inline struct file *__fcheck_files(struct files_struct *files, unsigned i
 {
        struct fdtable *fdt = rcu_dereference_raw(files->fdt);
 
-       if (fd < fdt->max_fds)
+       if (fd < fdt->max_fds) {
+               osb();
                return rcu_dereference_raw(fdt->fd[fd]);
+       }
        return NULL;
 }