Fix __close_fd Spectre v1 gadget. |
|
Issue description
In fs/file.c, __close_fd contains code where a userspace-controlled fd
is used to index an array:
int __close_fd(struct files_struct *files, unsigned fd)
{
struct file *file;
struct fdtable *fdt;
spin_lock(&files->file_lock);
fdt = files_fdtable(files);
if (fd >= fdt->max_fds)
goto out_unlock;
file = fdt->fd[fd]; <---
This is a typical Spectre v1 gadget, which we can easily fix.
|
|
►
Sign in to add a comment |
|
Comment 1 by jorgelo@chromium.org
, Oct 4