Commit 9780ac7b authored by Elena Reshetova's avatar Elena Reshetova Committed by Kleber Sacilotto de Souza

udf: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the eahd->appAttrLocation value in function
udf_add_extendedattr() seems to be controllable by
userspace and later on conditionally (upon bound check)
used in following memmove, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.
Signed-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 798c6525
...@@ -104,6 +104,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size, ...@@ -104,6 +104,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,
iinfo->i_lenEAttr) { iinfo->i_lenEAttr) {
uint32_t aal = uint32_t aal =
le32_to_cpu(eahd->appAttrLocation); le32_to_cpu(eahd->appAttrLocation);
osb();
memmove(&ea[offset - aal + size], memmove(&ea[offset - aal + size],
&ea[aal], offset - aal); &ea[aal], offset - aal);
offset -= aal; offset -= aal;
...@@ -114,6 +116,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size, ...@@ -114,6 +116,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,
iinfo->i_lenEAttr) { iinfo->i_lenEAttr) {
uint32_t ial = uint32_t ial =
le32_to_cpu(eahd->impAttrLocation); le32_to_cpu(eahd->impAttrLocation);
osb();
memmove(&ea[offset - ial + size], memmove(&ea[offset - ial + size],
&ea[ial], offset - ial); &ea[ial], offset - ial);
offset -= ial; offset -= ial;
...@@ -125,6 +129,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size, ...@@ -125,6 +129,8 @@ struct genericFormat *udf_add_extendedattr(struct inode *inode, uint32_t size,
iinfo->i_lenEAttr) { iinfo->i_lenEAttr) {
uint32_t aal = uint32_t aal =
le32_to_cpu(eahd->appAttrLocation); le32_to_cpu(eahd->appAttrLocation);
osb();
memmove(&ea[offset - aal + size], memmove(&ea[offset - aal + size],
&ea[aal], offset - aal); &ea[aal], offset - aal);
offset -= aal; offset -= aal;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment