fs: prevent out-of-bounds array speculation when closing a file descriptor

commit 609d54441493c99f21c1823dfd66fa7f4c512ff4 upstream.

Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/file.c b/fs/file.c
index 5e79aa9f5d73b595f1bd0468b30e21e08bea3c8e..eac95f11003a1c6f0fdcdc421e6a6c54fb5d4ef9 100644 (file)
--- a/fs/file.c
+++ b/fs/file.c
@@ -629,6 +629,7 @@ int __close_fd(struct files_struct *files, unsigned fd)
        fdt = files_fdtable(files);
        if (fd >= fdt->max_fds)
                goto out_unlock;
+       fd = array_index_nospec(fd, fdt->max_fds);
        file = fdt->fd[fd];
        if (!file)
                goto out_unlock;