diff options
| author | Dan Williams <dan.j.williams@intel.com> | 2018-02-23 11:42:04 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-02-25 11:03:53 +0100 |
| commit | c8961332d6da59b8a39998f46831fe7871cd1519 (patch) | |
| tree | c427ac4ff4927e13c2497bf8f9b8262c4abd5968 /lib/notifier-error-inject.c | |
| parent | fd3d9535450c3c9b720bae22419c7419f50decf6 (diff) | |
x86/syscall: Sanitize syscall table de-references under speculation
(cherry picked from commit 2fbd7af5af8665d18bcefae3e9700be07e22b681)
The syscall table base is a user controlled function pointer in kernel
space. Use array_index_nospec() to prevent any out of bounds speculation.
While retpoline prevents speculating into a userspace directed target it
does not stop the pointer de-reference, the concern is leaking memory
relative to the syscall table base, by observing instruction cache
behavior.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: Andy Lutomirski <luto@kernel.org>
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727417984.33451.1216731042505722161.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
[jwang: port to 4.4, no syscall_64]
Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib/notifier-error-inject.c')
0 files changed, 0 insertions, 0 deletions