Commit 1827c36e authored May 09, 2023 by Xia Fukun Committed by Jialin Zhang May 10, 2023

prlimit: do_prlimit needs to have a speculation check

stable inclusion
from stable-v5.10.165
commit 9f8e45720e0e7edb661d0082422f662ed243d8d8
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6Z6SU?from=project-issue
CVE: CVE-2023-0458

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=9f8e45720e0e7edb661d0082422f662ed243d8d8



--------------------------------

[ Upstream commit 73979060 ]

do_prlimit() adds the user-controlled resource value to a pointer that
will subsequently be dereferenced.  In order to help prevent this
codepath from being used as a spectre "gadget" a barrier needs to be
added after checking the range.

Reported-by: Jordy Zomer <jordyzomer@google.com>
Tested-by: Jordy Zomer <jordyzomer@google.com>
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Xia Fukun <xiafukun@huawei.com>
Reviewed-by: Zhang Qiao <zhangqiao22@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

parent e9ab135b

kernel/sys.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1548,6 +1548,8 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,

		if (resource >= RLIM_NLIMITS)
		return -EINVAL;
		resource = array_index_nospec(resource, RLIM_NLIMITS);

		if (new_rlim) {
		if (new_rlim->rlim_cur > new_rlim->rlim_max)
		return -EINVAL;