From: Elena Reshetova <elena.reshetova@intel.com>
Date: Thu, 4 Jan 2018 10:10:20 +0000 (-0800)
Subject: fs: prevent speculative execution
X-Git-Tag: v4.1.12-124.31.3~1373
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=fec411a5422da2145872f305689c5f3c224553de;p=users%2Fjedix%2Flinux-maple.git

fs: prevent speculative execution

Since the fd value in function __fcheck_files()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
fdt->fd, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
---

diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
index 230f87bdf5ad..9b6d58225d4c 100644
--- a/include/linux/fdtable.h
+++ b/include/linux/fdtable.h
@@ -76,8 +76,10 @@ static inline struct file *__fcheck_files(struct files_struct *files, unsigned i
 {
 	struct fdtable *fdt = rcu_dereference_raw(files->fdt);
 
-	if (fd < fdt->max_fds)
+	if (fd < fdt->max_fds) {
+		osb();
 		return rcu_dereference_raw(fdt->fd[fd]);
+	}
 	return NULL;
 }