git.baikalelectronics.ru Git - kernel.git/commit

author	Dan Williams <dan.j.williams@intel.com>
	Tue, 30 Jan 2018 01:02:59 +0000 (17:02 -0800)
committer	Thomas Gleixner <tglx@linutronix.de>
	Tue, 30 Jan 2018 20:54:31 +0000 (21:54 +0100)
commit	dd5a3fa9f971363ce23974897d75654901e76905
tree	e07c22dfe943ebbae6c3ca0a3d26aa3d31a2696d	tree \| snapshot
parent	5f23c02867dbd417ff1d7f87ec768c43df598d43	commit \| diff

x86/syscall: Sanitize syscall table de-references under speculation

The syscall table base is a user controlled function pointer in kernel
space. Use array_index_nospec() to prevent any out of bounds speculation.

While retpoline prevents speculating into a userspace directed target it
does not stop the pointer de-reference, the concern is leaking memory
relative to the syscall table base, by observing instruction cache
behavior.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: Andy Lutomirski <luto@kernel.org>
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727417984.33451.1216731042505722161.stgit@dwillia2-desk3.amr.corp.intel.com