fs: prevent out-of-bounds array speculation when closing a file descriptor

author Theodore Ts'o <tytso@mit.edu>

Mon, 6 Mar 2023 18:54:50 +0000 (13:54 -0500)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fri, 17 Mar 2023 07:32:47 +0000 (08:32 +0100)
author Theodore Ts'o <tytso@mit.edu>
Mon, 6 Mar 2023 18:54:50 +0000 (13:54 -0500)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 17 Mar 2023 07:32:47 +0000 (08:32 +0100)
diff --git a/fs/file.c b/fs/file.c

index 51f53a7dc2218dcb8237b616c9d9af37f9061e57..e56059fa1b309fd4f2030e0160a5329e9c9e755d 100644 (file)
--- a/fs/file.c
+++ b/fs/file.c
@@ -654,6 +654,7 @@ int __close_fd_get_file(unsigned int fd, struct file **res)
         fdt = files_fdtable(files);
         if (fd >= fdt->max_fds)
                 goto out_unlock;
+       fd = array_index_nospec(fd, fdt->max_fds);
         file = fdt->fd[fd];
         if (!file)
                 goto out_unlock;
author	Theodore Ts'o <tytso@mit.edu>
	Mon, 6 Mar 2023 18:54:50 +0000 (13:54 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 17 Mar 2023 07:32:47 +0000 (08:32 +0100)