]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commitdiff
projects / mirror_ubuntu-artful-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3b2ec7e)
udf: prevent speculative execution
authorElena Reshetova <elena.reshetova@intel.com>
Wed, 13 Dec 2017 08:15:30 +0000 (10:15 +0200)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Mon, 5 Feb 2018 15:56:05 +0000 (16:56 +0100)
CVE-2017-5753 (Spectre v1 Intel)

Since the eahd->appAttrLocation value in function
udf_add_extendedattr() seems to be controllable by
userspace and later on conditionally (upon bound check)
used in following memmove, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
fs/udf/misc.c patch | blob | blame | history

diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index 3949c4bec3a3ff3d13369b8930e1715bd86b196e..c826ccc7ceaeb470d1e00b3b52311951689ea76b 100644 (file)
--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -104,6 +104,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,
                                        iinfo->i_lenEAttr) {
                                uint32_t aal =
                                        le32_to_cpu(eahd->appAttrLocation);
+
+                               osb();
                                memmove(&ea[offset - aal + size],
                                        &ea[aal], offset - aal);
                                offset -= aal;
@@ -114,6 +116,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,
                                        iinfo->i_lenEAttr) {
                                uint32_t ial =
                                        le32_to_cpu(eahd->impAttrLocation);
+
+                               osb();
                                memmove(&ea[offset - ial + size],
                                        &ea[ial], offset - ial);
                                offset -= ial;
@@ -125,6 +129,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,
                                        iinfo->i_lenEAttr) {
                                uint32_t aal =
                                        le32_to_cpu(eahd->appAttrLocation);
+
+                               osb();
                                memmove(&ea[offset - aal + size],
                                        &ea[aal], offset - aal);
                                offset -= aal;
Ubuntu Artful kernel mirror