lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 24 Dec 2018 06:26:42 -0800
From:   Greg Hackmann <ghackmann@...roid.com>
To:     Alexander Viro <viro@...iv.linux.org.uk>
Cc:     Omer Tripp <trippo@...gle.com>, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, gregkh@...uxfoundation.org,
        Greg Hackmann <ghackmann@...roid.com>, stable@...r.kernel.org
Subject: [PATCH v2] fs: fix possible Spectre V1 indexing in __close_fd()

Omer Tripp's analysis of a Spectre V1 gadget in __close_fd():

"1.  __close_fd() is reachable via the close() syscall with a
     user-controlled fd.

 2.  If said bounds check is mispredicted, then a user-controlled
     address fdt->fd[fd] is obtained then dereferenced, and the value of
     a user-controlled address is loaded into the local variable file.

 3.  file is then passed as an argument to filp_close, where the cache
     lines secret + offsetof(f_op) and secret + offsetof(f_mode) are hot
     and vulnerable to a timing channel attack."

Address this by using array_index_nospec() to prevent speculation past
the end of current->fdt.

Reported-by: Omer Tripp <trippo@...gle.com>
Cc: stable@...r.kernel.org
Signed-off-by: Greg Hackmann <ghackmann@...roid.com>
---
v2: include Omer Tripp's analysis in commit message, and update my email
    address

 fs/file.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/file.c b/fs/file.c
index 7ffd6e9d103d..a80cf82be96b 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -18,6 +18,7 @@
 #include <linux/bitops.h>
 #include <linux/spinlock.h>
 #include <linux/rcupdate.h>
+#include <linux/nospec.h>
 
 unsigned int sysctl_nr_open __read_mostly = 1024*1024;
 unsigned int sysctl_nr_open_min = BITS_PER_LONG;
@@ -626,6 +627,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
 	fdt = files_fdtable(files);
 	if (fd >= fdt->max_fds)
 		goto out_unlock;
+	fd = array_index_nospec(fd, fdt->max_fds);
 	file = fdt->fd[fd];
 	if (!file)
 		goto out_unlock;
-- 
2.19.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ