[PATCH 1/1] UBUNTU: SAUCE: Fix posix clock speculation mitigation backport
Tyler Hicks
tyhicks at canonical.com
Tue Oct 8 06:10:15 UTC 2019
BugLink: https://launchpad.net/bugs/1847189
The Ubuntu Xenial backport of upstream commit 19b558db12f9
("posix-timers: Protect posix clock array access against speculation")
incorrectly dropped the NULL check on the .clock_getres function
pointer. Readd the NULL check while still protecting against
side-channel speculation attacks when indexing into the posix_clocks
array to perform that NULL check.
The NULL check protects against a denial of service (system crash) or
possible arbitrary code execution that can be triggered by
clock_gettime(10, 0), as pointed out by Vitaly Nikolenko.
Fixes: eb4a3a43d161 ("posix-timers: Protect posix clock array access against speculation")
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
kernel/time/posix-timers.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index fef13152b372..6e0ac1e7494e 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -606,7 +606,11 @@ static struct k_clock *clockid_to_kclock(const clockid_t id)
if (id >= MAX_CLOCKS)
return NULL;
- return &posix_clocks[array_index_nospec(idx, MAX_CLOCKS)];
+ idx = array_index_nospec(idx, MAX_CLOCKS);
+ if (!posix_clocks[idx].clock_getres)
+ return NULL;
+
+ return &posix_clocks[idx];
}
static int common_timer_create(struct k_itimer *new_timer)
--
2.17.1
More information about the kernel-team
mailing list