userns: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel) Since the pos value in function m_start() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve map->extent, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

userns: prevent speculative execution
CVE-2017-5753 (Spectre v1 Intel) Since the pos value in function m_start() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve map->extent, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
3627e887 · Elena Reshetova · Kleber Sacilotto de Souza · 9780ac7b · 3627e887
Commit 3627e887 authored Dec 15, 2017 by Elena Reshetova Committed by Kleber Sacilotto de Souza Feb 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

kernel/user_namespace.c kernel/user_namespace.c +3 -1

No files found.
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -502,8 +502,10 @@ static void *m_start(struct seq_file *seq, loff_t *ppos,
 	struct uid_gid_extent *extent = NULL;
 	loff_t pos = *ppos;

-	if (pos < map->nr_extents)
+	if (pos < map->nr_extents) {
+		osb();
 		extent = &map->extent[pos];
+	}

 	return extent;
 }