Commit 0afa9964 authored Dec 11, 2018 by Jeff Moyer Committed by Al Viro Dec 11, 2018

aio: fix spectre gadget in lookup_ioctx



Matthew pointed out that the ioctx_table is susceptible to spectre v1,
because the index can be controlled by an attacker.  The below patch
should mitigate the attack for all of the aio system calls.

Reported-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

parent 73116df7

fs/aio.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -45,6 +45,7 @@

		#include <asm/kmap_types.h>
		#include <linux/uaccess.h>
		#include <linux/nospec.h>

		#include "internal.h"

		@@ -1038,6 +1039,7 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
		if (!table \|\| id >= table->nr)
		goto out;

		id = array_index_nospec(id, table->nr);
		ctx = rcu_dereference(table->table[id]);
		if (ctx && ctx->user_id == ctx_id) {
		if (percpu_ref_tryget_live(&ctx->users))