fs: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the fd value in function __fcheck_files()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
fdt->fd, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
index 6e84b2cae6ad62b529298b662856dc857c3091b6..c3dabeb30f1ef7dbe24b9fa75da5d5c9135658e4 100644 (file)
--- a/include/linux/fdtable.h
+++ b/include/linux/fdtable.h
@@ -81,8 +81,10 @@ static inline struct file *__fcheck_files(struct files_struct *files, unsigned i
 {
        struct fdtable *fdt = rcu_dereference_raw(files->fdt);
 
-       if (fd < fdt->max_fds)
+       if (fd < fdt->max_fds) {
+               osb();
                return rcu_dereference_raw(fdt->fd[fd]);
+       }
        return NULL;
 }