Commit b7620121 authored by Jens Axboe's avatar Jens Axboe
Browse files

io_uring: protect fixed file indexing with array_index_nospec() 



We index the file tables with a user given value. After we check
it's within our limits, use array_index_nospec() to prevent any
spectre attacks here.

Suggested-by: default avatarJann Horn <jannh@google.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 17f2fe35

fs/io_uring.c

+1 −0
Original line number Diff line number Diff line
@@ -2321,6 +2321,7 @@ static int io_req_set_file(struct io_ring_ctx *ctx, const struct sqe_submit *s, 
		if (unlikely(!ctx->user_files ||

		    (unsigned) fd >= ctx->nr_user_files))

			return -EBADF;

		fd = array_index_nospec(fd, ctx->nr_user_files);

		if (!ctx->user_files[fd])

			return -EBADF;

		req->file = ctx->user_files[fd];

CRA Git | Maintained and supported by SUSTech CRA and CCSE