]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commitdiff
projects / mirror_ubuntu-artful-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9780ac7)
userns: prevent speculative execution
authorElena Reshetova <elena.reshetova@intel.com>
Fri, 15 Dec 2017 10:29:09 +0000 (02:29 -0800)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Mon, 5 Feb 2018 15:45:36 +0000 (16:45 +0100)
CVE-2017-5753 (Spectre v1 Intel)

Since the pos value in function m_start()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
map->extent, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
kernel/user_namespace.c patch | blob | blame | history

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 23b4d6ec05d77af77be77ea5efc9097325f8d4ea..8dfb2682bf00cb6fd2690c695ea4e619060af856 100644 (file)
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -502,8 +502,10 @@ static void *m_start(struct seq_file *seq, loff_t *ppos,
        struct uid_gid_extent *extent = NULL;
        loff_t pos = *ppos;
 
-       if (pos < map->nr_extents)
+       if (pos < map->nr_extents) {
+               osb();
                extent = &map->extent[pos];
+       }
 
        return extent;
 }
Ubuntu Artful kernel mirror