fs: prevent out-of-bounds array speculation when closing a file descriptor
authorTheodore Ts'o <tytso@mit.edu>
Mon, 6 Mar 2023 18:54:50 +0000 (13:54 -0500)
committerAl Viro <viro@zeniv.linux.org.uk>
Fri, 10 Mar 2023 03:46:21 +0000 (22:46 -0500)
Google-Bug-Id: 114199369
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/file.c

index c942c89ca4cda90b94eaf724a2dabd63853bb52e..7893ea161d77075ca0ab524d7c8021ab668c0978 100644 (file)
--- a/fs/file.c
+++ b/fs/file.c
@@ -642,6 +642,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
        if (fd >= fdt->max_fds)
                return NULL;
 
+       fd = array_index_nospec(fd, fdt->max_fds);
        file = fdt->fd[fd];
        if (file) {
                rcu_assign_pointer(fdt->fd[fd], NULL);