diff options
| author | Jason Wang <jasowang@redhat.com> | 2018-10-30 14:10:49 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-11-04 14:51:53 +0100 |
| commit | c75d697c8197364323d29e33698a38ab8152d218 (patch) | |
| tree | 7f90dcd42abc9ece577ffa6e6f95db3118ead00e | |
| parent | 886de7239b165452b3e6b1316759d097dd053c19 (diff) | |
| download | linux-stable-c75d697c8197364323d29e33698a38ab8152d218.tar.gz linux-stable-c75d697c8197364323d29e33698a38ab8152d218.tar.bz2 linux-stable-c75d697c8197364323d29e33698a38ab8152d218.zip | |
vhost: Fix Spectre V1 vulnerability
[ Upstream commit ff002269a4ee9c769dbf9365acef633ebcbd6cbe ]
The idx in vhost_vring_ioctl() was controlled by userspace, hence a
potential exploitation of the Spectre variant 1 vulnerability.
Fixing this by sanitizing idx before using it to index d->vqs.
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/vhost/vhost.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 560ed8711706..c4424cbd9943 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -30,6 +30,7 @@ #include <linux/sched/mm.h> #include <linux/sched/signal.h> #include <linux/interval_tree_generic.h> +#include <linux/nospec.h> #include "vhost.h" @@ -1362,6 +1363,7 @@ long vhost_vring_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *arg if (idx >= d->nvqs) return -ENOBUFS; + idx = array_index_nospec(idx, d->nvqs); vq = d->vqs[idx]; mutex_lock(&vq->mutex); |