fs: prevent out-of-bounds array speculation when closing a file descriptor

Google-Bug-Id: 114199369 Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

fs: prevent out-of-bounds array speculation when closing a file descriptor
Google-Bug-Id: 114199369 Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
609d5444 · Theodore Ts'o · Al Viro · c64c67c0 · 609d5444
Commit 609d5444 authored Mar 06, 2023 by Theodore Ts'o Committed by Al Viro Mar 09, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

fs/file.c fs/file.c +1 -0

No files found.
--- a/fs/file.c
+++ b/fs/file.c
@@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
 	if (fd >= fdt->max_fds)
 		return NULL;

+	fd = array_index_nospec(fd, fdt->max_fds);
 	file = fdt->fd[fd];
 	if (file) {
 		rcu_assign_pointer(fdt->fd[fd], NULL);