The (clock) id argument of clockid_to_kclock() comes straight from user space via various syscalls and is used as index into the posix_clocks array.
Protect it against spectre v1 array out of bounds speculation. Signed-off-by: Thomas Gleixner <[email protected]> Cc: [email protected] --- kernel/time/posix-timers.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/kernel/time/posix-timers.c +++ b/kernel/time/posix-timers.c @@ -50,6 +50,7 @@ #include <linux/export.h> #include <linux/hashtable.h> #include <linux/compat.h> +#include <linux/nospec.h> #include "timekeeping.h" #include "posix-timers.h" @@ -1346,11 +1347,14 @@ static const struct k_clock * const posi static const struct k_clock *clockid_to_kclock(const clockid_t id) { + clockid_t idx = id; + if (id < 0) return (id & CLOCKFD_MASK) == CLOCKFD ? &clock_posix_dynamic : &clock_posix_cpu; if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id]) return NULL; - return posix_clocks[id]; + + return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))]; }
