Commit 609d5444 authored by Theodore Ts'o's avatar Theodore Ts'o Committed by Al Viro

fs: prevent out-of-bounds array speculation when closing a file descriptor

Google-Bug-Id: 114199369
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent c64c67c0
......@@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
if (fd >= fdt->max_fds)
return NULL;
fd = array_index_nospec(fd, fdt->max_fds);
file = fdt->fd[fd];
if (file) {
rcu_assign_pointer(fdt->fd[fd], NULL);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment