git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Jeremy Cline <jcline@redhat.com>
	Thu, 2 Aug 2018 04:03:40 +0000 (00:03 -0400)
committer	Stefan Bader <stefan.bader@canonical.com>
	Wed, 24 Apr 2019 08:09:07 +0000 (10:09 +0200)
commit	ab776625f84ed6733ce72a17fe080f3d7e34b1fa
tree	bbde560c64ab05cb8797f00e7b1c363b321eed8e	tree
parent	9cf388864120784a00b311a5875d5c6642efdece	commit \| diff

ext4: fix spectre gadget in ext4_mb_regular_allocator()

'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
index arrays which makes it a potential spectre gadget. Fix this by
sanitizing the value assigned to 'ac->ac2_order'.  This covers the
following accesses found with the help of smatch:

* fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
  spectre issue 'grp->bb_counters' [w] (local cap)

* fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
  'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)

* fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
  'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)

Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
CVE-2017-5753

(cherry picked from commit 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85)
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>