[dm-devel] Patch "dm ioctl: prevent potential spectre v1 gadget" has been added to the 5.4-stable tree
Sasha Levin
sashal at kernel.org
Sun Apr 10 02:39:00 UTC 2022
This is a note to let you know that I've just added the patch titled
dm ioctl: prevent potential spectre v1 gadget
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
dm-ioctl-prevent-potential-spectre-v1-gadget.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.
commit 281c0645c719dd2e3e36ccbaa36b6919f294560e
Author: Jordy Zomer <jordy at jordyzomer.github.io>
Date: Sat Jan 29 15:58:39 2022 +0100
dm ioctl: prevent potential spectre v1 gadget
[ Upstream commit cd9c88da171a62c4b0f1c70e50c75845969fbc18 ]
It appears like cmd could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents of kernel memory
from being leaked to userspace via speculative execution by using
array_index_nospec.
Signed-off-by: Jordy Zomer <jordy at pwning.systems>
Signed-off-by: Mike Snitzer <snitzer at redhat.com>
Signed-off-by: Sasha Levin <sashal at kernel.org>
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 3f15d8dc2b71..7a73f2fa0ad7 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -17,6 +17,7 @@
#include <linux/dm-ioctl.h>
#include <linux/hdreg.h>
#include <linux/compat.h>
+#include <linux/nospec.h>
#include <linux/uaccess.h>
@@ -1696,6 +1697,7 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
if (unlikely(cmd >= ARRAY_SIZE(_ioctls)))
return NULL;
+ cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls));
*ioctl_flags = _ioctls[cmd].flags;
return _ioctls[cmd].fn;
}
More information about the dm-devel
mailing list