linux-kernel - [PATCH] kernel/sys.c: fix possible spectre-v1 in do

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date:   Mon, 27 May 2019 15:23:08 +0800
From:   Dianzhang Chen <dianzhangchen0@...il.com>
To:     akpm@...ux-foundation.org
Cc:     gorcunov@...il.com, kristina.martsenko@....com,
        ebiederm@...ssion.com, j.neuschaefer@....net, jannh@...gle.com,
        mortonm@...omium.org, yang.shi@...ux.alibaba.com,
        linux-kernel@...r.kernel.org,
        Dianzhang Chen <dianzhangchen0@...il.com>
Subject: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()

The `resource` in do_prlimit() is controlled by userspace via syscall: setrlimit(defined in kernel/sys.c), hence leading to a potential exploitation of the Spectre variant 1 vulnerability.
The relevant code in do_prlimit() is as below：

if (resource >= RLIM_NLIMITS)
        return -EINVAL;
...
rlim = tsk->signal->rlim + resource;    // use resource as index
...
            *old_rlim = *rlim;

Fix this by sanitizing resource before using it to index tsk->signal->rlim.

Signed-off-by: Dianzhang Chen <dianzhangchen0@...il.com>
---
 kernel/sys.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/sys.c b/kernel/sys.c
index bdbfe8d..7eba1ca 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1532,6 +1532,8 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
 
 	if (resource >= RLIM_NLIMITS)
 		return -EINVAL;
+
+	resource = array_index_nospec(resource, RLIM_NLIMITS);
 	if (new_rlim) {
 		if (new_rlim->rlim_cur > new_rlim->rlim_max)
 			return -EINVAL;
-- 
2.7.4