[dm-devel] Patch "dm ioctl: prevent potential spectre v1 gadget" has been added to the 5.17-stable tree
Sasha Levin
sashal at kernel.org
Sun Apr 10 02:12:04 UTC 2022
This is a note to let you know that I've just added the patch titled
dm ioctl: prevent potential spectre v1 gadget
to the 5.17-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
dm-ioctl-prevent-potential-spectre-v1-gadget.patch
and it can be found in the queue-5.17 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.
commit 3c4136a82fc9d849053a5d5300fee8d0e3c7f417
Author: Jordy Zomer <jordy at jordyzomer.github.io>
Date: Sat Jan 29 15:58:39 2022 +0100
dm ioctl: prevent potential spectre v1 gadget
[ Upstream commit cd9c88da171a62c4b0f1c70e50c75845969fbc18 ]
It appears like cmd could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents of kernel memory
from being leaked to userspace via speculative execution by using
array_index_nospec.
Signed-off-by: Jordy Zomer <jordy at pwning.systems>
Signed-off-by: Mike Snitzer <snitzer at redhat.com>
Signed-off-by: Sasha Levin <sashal at kernel.org>
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 21fe8652b095..901abd6dea41 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -18,6 +18,7 @@
#include <linux/dm-ioctl.h>
#include <linux/hdreg.h>
#include <linux/compat.h>
+#include <linux/nospec.h>
#include <linux/uaccess.h>
#include <linux/ima.h>
@@ -1788,6 +1789,7 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
if (unlikely(cmd >= ARRAY_SIZE(_ioctls)))
return NULL;
+ cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls));
*ioctl_flags = _ioctls[cmd].flags;
return _ioctls[cmd].fn;
}
More information about the dm-devel
mailing list