io_uring: protect fixed file indexing with array_index_nospec()

commit b7620121dc04e44ce654297050f9eaf39d414a34 upstream. We index the file tables with a user given value. After we check it's within our limits, use array_index_nospec() to prevent any spectre attacks here. Suggested-by: N Jann Horn <jannh@google.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Joseph Qi <joseph.qi@linux.alibaba.com> Reviewed-by: N Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>

io_uring: protect fixed file indexing with array_index_nospec()
commit b7620121dc04e44ce654297050f9eaf39d414a34 upstream. We index the file tables with a user given value. After we check it's within our limits, use array_index_nospec() to prevent any spectre attacks here. Suggested-by: N Jann Horn <jannh@google.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Joseph Qi <joseph.qi@linux.alibaba.com> Reviewed-by: N Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
6737067a · Jens Axboe · Shile Zhang · bdc2063b · 6737067a
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

fs/io_uring.c fs/io_uring.c +1 -0

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2320,6 +2320,7 @@ static int io_req_set_file(struct io_ring_ctx *ctx, const struct sqe_submit *s,
 		if (unlikely(!ctx->user_files ||
 		    (unsigned) fd >= ctx->nr_user_files))
 			return -EBADF;
+		fd = array_index_nospec(fd, ctx->nr_user_files);
 		if (!ctx->user_files[fd])
 			return -EBADF;
 		req->file = ctx->user_files[fd];