Commit 1a5d5e5d authored Aug 02, 2018 by Jeremy Cline Committed by Theodore Ts'o Aug 02, 2018

ext4: fix spectre gadget in ext4_mb_regular_allocator()



'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
index arrays which makes it a potential spectre gadget. Fix this by
sanitizing the value assigned to 'ac->ac2_order'.  This covers the
following accesses found with the help of smatch:

* fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
  spectre issue 'grp->bb_counters' [w] (local cap)

* fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
  'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)

* fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
  'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)

Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org

parent 7d95178c

fs/ext4/mballoc.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -14,6 +14,7 @@
		#include <linux/log2.h>
		#include <linux/module.h>
		#include <linux/slab.h>
		#include <linux/nospec.h>
		#include <linux/backing-dev.h>
		#include <trace/events/ext4.h>

		@@ -2140,7 +2141,8 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac)
		* This should tell if fe_len is exactly power of 2
		*/
		if ((ac->ac_g_ex.fe_len & (~(1 << (i - 1)))) == 0)
		ac->ac_2order = i - 1;
		ac->ac_2order = array_index_nospec(i - 1,
		sb->s_blocksize_bits + 2);
		}

		/* if stream allocation is enabled, use global goal */

Admin message