| From 04a04aac23a88010685beb74645b8f0770334cd4 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Sat, 29 Jan 2022 15:58:39 +0100 |
| Subject: dm ioctl: prevent potential spectre v1 gadget |
| |
| From: Jordy Zomer <jordy@jordyzomer.github.io> |
| |
| [ Upstream commit cd9c88da171a62c4b0f1c70e50c75845969fbc18 ] |
| |
| It appears like cmd could be a Spectre v1 gadget as it's supplied by a |
| user and used as an array index. Prevent the contents of kernel memory |
| from being leaked to userspace via speculative execution by using |
| array_index_nospec. |
| |
| Signed-off-by: Jordy Zomer <jordy@pwning.systems> |
| Signed-off-by: Mike Snitzer <snitzer@redhat.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/md/dm-ioctl.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c |
| index 21fe8652b095..901abd6dea41 100644 |
| --- a/drivers/md/dm-ioctl.c |
| +++ b/drivers/md/dm-ioctl.c |
| @@ -18,6 +18,7 @@ |
| #include <linux/dm-ioctl.h> |
| #include <linux/hdreg.h> |
| #include <linux/compat.h> |
| +#include <linux/nospec.h> |
| |
| #include <linux/uaccess.h> |
| #include <linux/ima.h> |
| @@ -1788,6 +1789,7 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags) |
| if (unlikely(cmd >= ARRAY_SIZE(_ioctls))) |
| return NULL; |
| |
| + cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls)); |
| *ioctl_flags = _ioctls[cmd].flags; |
| return _ioctls[cmd].fn; |
| } |
| -- |
| 2.35.1 |
| |