]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c7f631c) | patch
x86/syscall: Sanitize syscall table de-references under speculation
authorDan Williams <dan.j.williams@intel.com>
Tue, 30 Jan 2018 01:02:59 +0000 (17:02 -0800)
committerThomas Gleixner <tglx@linutronix.de>
Tue, 30 Jan 2018 20:54:31 +0000 (21:54 +0100)
commit2fbd7af5af8665d18bcefae3e9700be07e22b681
treee07c22dfe943ebbae6c3ca0a3d26aa3d31a2696dtree
parentc7f631cb07e7da06ac1d231ca178452339e32a94commit | diff
x86/syscall: Sanitize syscall table de-references under speculation

The syscall table base is a user controlled function pointer in kernel
space. Use array_index_nospec() to prevent any out of bounds speculation.

While retpoline prevents speculating into a userspace directed target it
does not stop the pointer de-reference, the concern is leaking memory
relative to the syscall table base, by observing instruction cache
behavior.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: Andy Lutomirski <luto@kernel.org>
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727417984.33451.1216731042505722161.stgit@dwillia2-desk3.amr.corp.intel.com
arch/x86/entry/common.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror