Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 23 Feb 2018 19:26:52 +0100
From: Greg Kroah-Hartman <>
Cc: Greg Kroah-Hartman <>,,
	Dan Williams <>,
	Thomas Gleixner <>,,,
	Al Viro <>,,,
	David Woodhouse <>,
	Jack Wang <>
Subject: [PATCH 4.4 179/193] vfs, fdtable: Prevent bounds-check bypass via speculative execution

4.4-stable review patch.  If anyone has any objections, please let me know.


From: Dan Williams <>

(cherry picked from commit 56c30ba7b348b90484969054d561f711ba196507)

'fd' is a user controlled value that is used as a data dependency to
read from the 'fdt->fd' array.  In order to avoid potential leaks of
kernel memory values, block speculative execution of the instruction
stream that could issue reads based on an invalid 'file *' returned from

Co-developed-by: Elena Reshetova <>
Signed-off-by: Dan Williams <>
Signed-off-by: Thomas Gleixner <>
Cc: Al Viro <>
Signed-off-by: David Woodhouse <>
[jwang: cherry pick to 4.4]
Signed-off-by: Jack Wang <>
Signed-off-by: Greg Kroah-Hartman <>
 include/linux/fdtable.h |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/include/linux/fdtable.h
+++ b/include/linux/fdtable.h
@@ -9,6 +9,7 @@
 #include <linux/compiler.h>
 #include <linux/spinlock.h>
 #include <linux/rcupdate.h>
+#include <linux/nospec.h>
 #include <linux/types.h>
 #include <linux/init.h>
 #include <linux/fs.h>
@@ -81,8 +82,10 @@ static inline struct file *__fcheck_file
 	struct fdtable *fdt = rcu_dereference_raw(files->fdt);
-	if (fd < fdt->max_fds)
+	if (fd < fdt->max_fds) {
+		fd = array_index_nospec(fd, fdt->max_fds);
 		return rcu_dereference_raw(fdt->fd[fd]);
+	}
 	return NULL;

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.