diff options
| author | Theodore Ts'o <tytso@mit.edu> | 2023-03-06 13:54:50 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-03-17 08:30:36 +0100 |
| commit | f31cd5da636682caea424fa1c22679016cbfc16b (patch) | |
| tree | ca9f95b89caee0482a9e5786c49d4ea47059812d /fs | |
| parent | e7a701196c571954453771a7f6061f8ab3a74fda (diff) | |
| download | linux-stable-f31cd5da636682caea424fa1c22679016cbfc16b.tar.gz linux-stable-f31cd5da636682caea424fa1c22679016cbfc16b.tar.bz2 linux-stable-f31cd5da636682caea424fa1c22679016cbfc16b.zip | |
fs: prevent out-of-bounds array speculation when closing a file descriptor
commit 609d54441493c99f21c1823dfd66fa7f4c512ff4 upstream.
Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/file.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/file.c b/fs/file.c index 5e79aa9f5d73..eac95f11003a 100644 --- a/fs/file.c +++ b/fs/file.c @@ -629,6 +629,7 @@ int __close_fd(struct files_struct *files, unsigned fd) fdt = files_fdtable(files); if (fd >= fdt->max_fds) goto out_unlock; + fd = array_index_nospec(fd, fdt->max_fds); file = fdt->fd[fd]; if (!file) goto out_unlock; |