From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:55106 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751674AbeBWQlg (ORCPT ); Fri, 23 Feb 2018 11:41:36 -0500 Subject: Patch "vfs, fdtable: Prevent bounds-check bypass via speculative execution" has been added to the 4.4-stable tree To: jinpu.wang@profitbricks.com, dan.j.williams@intel.com, dwmw@amazon.co.uk, elena.reshetova@intel.com, gregkh@linuxfoundation.org, tglx@linutronix.de, viro@zeniv.linux.org.uk Cc: , From: Date: Fri, 23 Feb 2018 17:38:49 +0100 In-Reply-To: <1519382538-15143-17-git-send-email-jinpu.wangl@profitbricks.com> Message-ID: <151940392919539@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled vfs, fdtable: Prevent bounds-check bypass via speculative execution to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Fri Feb 23 17:23:58 CET 2018 From: Jack Wang Date: Fri, 23 Feb 2018 11:42:05 +0100 Subject: vfs, fdtable: Prevent bounds-check bypass via speculative execution To: gregkh@linuxfoundation.org, stable@vger.kernel.org Cc: Dan Williams , Thomas Gleixner , linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, Al Viro , torvalds@linux-foundation.org, alan@linux.intel.com, David Woodhouse , Jack Wang Message-ID: <1519382538-15143-17-git-send-email-jinpu.wangl@profitbricks.com> From: Dan Williams (cherry picked from commit 56c30ba7b348b90484969054d561f711ba196507) 'fd' is a user controlled value that is used as a data dependency to read from the 'fdt->fd' array. In order to avoid potential leaks of kernel memory values, block speculative execution of the instruction stream that could issue reads based on an invalid 'file *' returned from __fcheck_files. Co-developed-by: Elena Reshetova Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: Al Viro Cc: torvalds@linux-foundation.org Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727418500.33451.17392199002892248656.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: cherry pick to 4.4] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman --- include/linux/fdtable.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/include/linux/fdtable.h +++ b/include/linux/fdtable.h @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -81,8 +82,10 @@ static inline struct file *__fcheck_file { struct fdtable *fdt = rcu_dereference_raw(files->fdt); - if (fd < fdt->max_fds) + if (fd < fdt->max_fds) { + fd = array_index_nospec(fd, fdt->max_fds); return rcu_dereference_raw(fdt->fd[fd]); + } return NULL; } Patches currently in stable-queue which might be from jinpu.wang@profitbricks.com are queue-4.4/x86-paravirt-remove-noreplace-paravirt-cmdline-option.patch queue-4.4/documentation-document-array_index_nospec.patch queue-4.4/kvm-x86-make-indirect-calls-in-emulator-speculation-safe.patch queue-4.4/x86-nospec-fix-header-guards-names.patch queue-4.4/x86-retpoline-avoid-retpolines-for-built-in-__init-functions.patch queue-4.4/vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch queue-4.4/kvm-nvmx-invvpid-handling-improvements.patch queue-4.4/x86-cpu-bugs-make-retpoline-module-warning-conditional.patch queue-4.4/x86-spectre-check-config_retpoline-in-command-line-parser.patch queue-4.4/x86-implement-array_index_mask_nospec.patch queue-4.4/array_index_nospec-sanitize-speculative-array-de-references.patch queue-4.4/kvm-vmx-make-indirect-call-speculation-safe.patch queue-4.4/x86-spectre-fix-spelling-mistake-vunerable-vulnerable.patch queue-4.4/kvm-nvmx-fix-kernel-panics-induced-by-illegal-invept-invvpid-types.patch queue-4.4/module-retpoline-warn-about-missing-retpoline-in-module.patch queue-4.4/x86-kvm-update-spectre-v1-mitigation.patch queue-4.4/x86-get_user-use-pointer-masking-to-limit-speculation.patch queue-4.4/x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch queue-4.4/kvm-nvmx-vmx_complete_nested_posted_interrupt-can-t-fail.patch queue-4.4/x86-spectre-simplify-spectre_v2-command-line-parsing.patch queue-4.4/x86-speculation-fix-typo-ibrs_att-which-should-be-ibrs_all.patch queue-4.4/x86-spectre-report-get_user-mitigation-for-spectre_v1.patch queue-4.4/x86-introduce-barrier_nospec.patch queue-4.4/kvm-async_pf-fix-df-due-to-inject-page-not-present-and-page-ready-exceptions-simultaneously.patch queue-4.4/kvm-vmx-clean-up-declaration-of-vpid-ept-invalidation-types.patch queue-4.4/x86-bugs-drop-one-mitigation-from-dmesg.patch queue-4.4/x86-retpoline-remove-the-esp-rsp-thunk.patch queue-4.4/nl80211-sanitize-array-index-in-parse_txq_params.patch queue-4.4/kvm-nvmx-kmap-can-t-fail.patch