From 616abca9e7f1add8e8f26cf6d33992b76412bcec Mon Sep 17 00:00:00 2001 From: Tim Chen <tim.c.chen@linux.intel.com> Date: Fri, 15 Dec 2017 02:29:09 -0800 Subject: [PATCH 155/194] userns: prevent speculative execution From: Elena Reshetova <elena.reshetova@intel.com> Since the pos value in function m_start() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve map->extent, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> --- kernel/user_namespace.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index c490f1e..2240f36 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -543,8 +543,10 @@ static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_extent *extent = NULL; loff_t pos = *ppos; - if (pos < map->nr_extents) + if (pos < map->nr_extents) { + osb(); extent = &map->extent[pos]; + } return extent; } -- 2.9.5