fs: prevent out-of-bounds array speculation when closing a file descriptor
commit 609d54441493c99f21c1823dfd66fa7f4c512ff4 upstream. Google-Bug-Id: 114199369 Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Theodore Ts'o
Greg Kroah-Hartman
parent
b829e8b6e1
commit
6631c8da02
@ -654,6 +654,7 @@ int __close_fd_get_file(unsigned int fd, struct file **res)
|
|||||||
fdt = files_fdtable(files);
|
fdt = files_fdtable(files);
|
||||||
if (fd >= fdt->max_fds)
|
if (fd >= fdt->max_fds)
|
||||||
goto out_unlock;
|
goto out_unlock;
|
||||||
|
fd = array_index_nospec(fd, fdt->max_fds);
|
||||||
file = fdt->fd[fd];
|
file = fdt->fd[fd];
|
||||||
if (!file)
|
if (!file)
|
||||||
goto out_unlock;
|
goto out_unlock;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user