[PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()

Mon, 27 May 2019 00:23:53 -0700 

The `resource` in do_prlimit() is controlled by userspace via syscall: 
setrlimit(defined in kernel/sys.c), hence leading to a potential exploitation 
of the Spectre variant 1 vulnerability.
The relevant code in do_prlimit() is as below:

if (resource >= RLIM_NLIMITS)
        return -EINVAL;
...
rlim = tsk->signal->rlim + resource;    // use resource as index
...
            *old_rlim = *rlim;

Fix this by sanitizing resource before using it to index tsk->signal->rlim.

Signed-off-by: Dianzhang Chen <[email protected]>
---
 kernel/sys.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/sys.c b/kernel/sys.c
index bdbfe8d..7eba1ca 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1532,6 +1532,8 @@ int do_prlimit(struct task_struct *tsk, unsigned int 
resource,
 
        if (resource >= RLIM_NLIMITS)
                return -EINVAL;
+
+       resource = array_index_nospec(resource, RLIM_NLIMITS);
        if (new_rlim) {
                if (new_rlim->rlim_cur > new_rlim->rlim_max)
                        return -EINVAL;
-- 
2.7.4

Reply via email to