]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commitdiff
projects / mirror_ubuntu-bionic-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 68a2a14)
vhost: Fix Spectre V1 vulnerability
authorJason Wang <jasowang@redhat.com>
Tue, 30 Oct 2018 06:10:49 +0000 (14:10 +0800)
committerStefan Bader <stefan.bader@canonical.com>
Wed, 24 Apr 2019 08:09:10 +0000 (10:09 +0200)
The idx in vhost_vring_ioctl() was controlled by userspace, hence a
potential exploitation of the Spectre variant 1 vulnerability.

Fixing this by sanitizing idx before using it to index d->vqs.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
CVE-2017-5753

(cherry picked from commit ff002269a4ee9c769dbf9365acef633ebcbd6cbe)
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
drivers/vhost/vhost.c patch | blob | blame | history

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 24df8d93a89b483d20f455a386299e5625b1b177..cfebc033a1ba67a75156d614a13fb1ea300908c0 100644 (file)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -30,6 +30,7 @@
 #include <linux/sched/mm.h>
 #include <linux/sched/signal.h>
 #include <linux/interval_tree_generic.h>
+#include <linux/nospec.h>
 
 #include "vhost.h"
 
@@ -1370,6 +1371,7 @@ long vhost_vring_ioctl(struct vhost_dev *d, int ioctl, void __user *argp)
        if (idx >= d->nvqs)
                return -ENOBUFS;
 
+       idx = array_index_nospec(idx, d->nvqs);
        vq = d->vqs[idx];
 
        mutex_lock(&vq->mutex);
ubuntu-bionic-kernel mirror