| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251218191332.35849-3-lukas.gerlach@cispa.de>
Date: Thu, 18 Dec 2025 20:13:32 +0100
From: Lukas Gerlach <lukas.gerlach@...pa.de>
To: <linux-riscv@...ts.infradead.org>
CC: <palmer@...belt.com>, <pjw@...nel.org>, <aou@...s.berkeley.edu>,
<alex@...ti.fr>, <linux-kernel@...r.kernel.org>, <daniel.weber@...pa.de>,
<michael.schwarz@...pa.de>, <marton.bognar@...euven.be>,
<jo.vanbulck@...euven.be>, Lukas Gerlach <lukas.gerlach@...pa.de>
Subject: [PATCH 2/2] riscv: Sanitize syscall table indexing under speculation
The syscall number is a user-controlled value used to index into the
syscall table. Use array_index_nospec() to clamp this value after the
bounds check to prevent speculative out-of-bounds access and subsequent
data leakage via cache side channels.
Signed-off-by: Lukas Gerlach <lukas.gerlach@...pa.de>
---
arch/riscv/kernel/traps.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
index 80230de167de..47afea4ff1a8 100644
--- a/arch/riscv/kernel/traps.c
+++ b/arch/riscv/kernel/traps.c
@@ -339,8 +339,10 @@ void do_trap_ecall_u(struct pt_regs *regs)
add_random_kstack_offset();
- if (syscall >= 0 && syscall < NR_syscalls)
+ if (syscall >= 0 && syscall < NR_syscalls) {
+ syscall = array_index_nospec(syscall, NR_syscalls);
syscall_handler(regs, syscall);
+ }
/*
* Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),
--
2.51.0
Powered by blists - more mailing lists