• Jeremy Cline's avatar
    fs/quota: Fix spectre gadget in do_quotactl · c1ef3fec
    Jeremy Cline authored
    commit 7b6924d9 upstream.
    
    'type' is user-controlled, so sanitize it after the bounds check to
    avoid using it in speculative execution. This covers the following
    potential gadgets detected with the help of smatch:
    
    * fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue
      'sb_dqopt(sb)->files' [r]
    * fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue
      'sb_dqopt(sb)->files' [r]
    * fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue
      'sb_dqopt(sb)->files' [r]
    * fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue
      'sb_dqopt(sb)->files' [r]
    * fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue
      'sb_dqopt(sb)->info' [w]
    * fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue
      'dquots' [r]
    * fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre
      issue 'dqopt->ops' [r]
    * fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre
      issue 'dqopt->files' [w] (local cap)
    * fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre
      issue 'dqopt->ops' [w] (local cap)
    * fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre
      issue 'dqopt->info' [w] (local cap)
    * fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue
      'sb_dqopt(sb)->info' [r]
    * fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre
      issue 'quota_magics' [w]
    * fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre
      issue 'quota_versions' [w]
    * fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre
      issue 'dqopt->info' [r]
    * fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre
      issue 'dqopt->info' [r]
    
    Additionally, a quick inspection indicates there are array accesses with
    'type' in quota_on() and quota_off() functions which are also addressed
    by this.
    
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: 's avatarJeremy Cline <jcline@redhat.com>
    Signed-off-by: 's avatarJan Kara <jack@suse.cz>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    c1ef3fec
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
compat.c Loading commit data...
dquot.c Loading commit data...
kqid.c Loading commit data...
netlink.c Loading commit data...
quota.c Loading commit data...
quota_tree.c Loading commit data...
quota_tree.h Loading commit data...
quota_v1.c Loading commit data...
quota_v2.c Loading commit data...
quotaio_v1.h Loading commit data...
quotaio_v2.h Loading commit data...