diff options
| author | Jens Axboe <axboe@kernel.dk> | 2019-10-26 07:22:55 -0600 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2019-10-29 12:43:06 -0600 |
| commit | b7620121dc04e44ce654297050f9eaf39d414a34 (patch) | |
| tree | 6f6ea0f8c5c240d76678841d96c3df79244b2a5a /fs/io_uring.c | |
| parent | 17f2fe35d080d8f64e86a60cdcd3a97edcbc213b (diff) | |
| download | lwn-b7620121dc04e44ce654297050f9eaf39d414a34.tar.gz lwn-b7620121dc04e44ce654297050f9eaf39d414a34.zip | |
io_uring: protect fixed file indexing with array_index_nospec()
We index the file tables with a user given value. After we check
it's within our limits, use array_index_nospec() to prevent any
spectre attacks here.
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'fs/io_uring.c')
| -rw-r--r-- | fs/io_uring.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c index b668149c20b9..7743b180a3e0 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2321,6 +2321,7 @@ static int io_req_set_file(struct io_ring_ctx *ctx, const struct sqe_submit *s, if (unlikely(!ctx->user_files || (unsigned) fd >= ctx->nr_user_files)) return -EBADF; + fd = array_index_nospec(fd, ctx->nr_user_files); if (!ctx->user_files[fd]) return -EBADF; req->file = ctx->user_files[fd]; |