brain-hackers_pepepper-mirror/linux-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/linux-brain.git synced 2024-06-09 23:36:23 +09:00
Code Issues Projects Releases Wiki Activity
4.9-2.0.x-imx
linux-brain/fs/quota
History
Jeremy Cline 0515258e47 fs/quota: Fix spectre gadget in do_quotactl 
commit 7b6924d94a upstream.

'type' is user-controlled, so sanitize it after the bounds check to
avoid using it in speculative execution. This covers the following
potential gadgets detected with the help of smatch:

* fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue
  'sb_dqopt(sb)->files' [r]
* fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue
  'sb_dqopt(sb)->info' [w]
* fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue
  'dquots' [r]
* fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre
  issue 'dqopt->ops' [r]
* fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre
  issue 'dqopt->files' [w] (local cap)
* fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre
  issue 'dqopt->ops' [w] (local cap)
* fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre
  issue 'dqopt->info' [w] (local cap)
* fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue
  'sb_dqopt(sb)->info' [r]
* fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre
  issue 'quota_magics' [w]
* fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre
  issue 'quota_versions' [w]
* fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre
  issue 'dqopt->info' [r]
* fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre
  issue 'dqopt->info' [r]

Additionally, a quick inspection indicates there are array accesses with
'type' in quota_on() and quota_off() functions which are also addressed
by this.

Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-09-09 20:01:26 +02:00
..
compat.c quota: split out compat_sys_quotactl support from quota.c 2010-03-05 00:20:25 +01:00
dquot.c quota: Check for register_shrinker() failure. 2018-02-03 17:05:39 +01:00
Kconfig rcu: Make SRCU optional by using CONFIG_SRCU 2015-01-06 11:04:29 -08:00
kqid.c fs/quota: kernel-doc warning fixes 2014-07-15 22:40:23 +02:00
Makefile userns: Implement struct kqid 2012-09-18 01:01:38 -07:00
netlink.c fs/quota: use nla_put_u64_64bit() 2016-04-26 12:00:48 -04:00
quota_tree.c quota_v2: Implement get_next_id() for V2 quota format 2016-02-09 13:05:23 +01:00
quota_tree.h quota: Change quota error message to print out disk and function name 2010-07-21 16:05:58 +02:00
quota_v1.c quota: Store maximum space limit in bytes 2015-01-30 12:51:21 +01:00
quota_v2.c quota_v2: Implement get_next_id() for V2 quota format 2016-02-09 13:05:23 +01:00
quota.c fs/quota: Fix spectre gadget in do_quotactl 2018-09-09 20:01:26 +02:00
quotaio_v1.h quota: Move quota files into separate directory 2009-03-26 02:18:35 +01:00
quotaio_v2.h vfs: Add general support to enforce project quota limits 2015-03-18 21:55:08 +01:00