diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-08-02 08:52:27 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-08-02 08:52:27 -0700 |
| commit | bbea34e693f4cc62d594efc7ef7629900d97b9a8 (patch) | |
| tree | fbede8b49f094dd5d846a3db66576d71506a76b8 | |
| parent | c0ecd6388360d930440cc5554026818895199923 (diff) | |
| parent | 8aa37bde1a7b645816cda8b80df4753ecf172bf1 (diff) | |
Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs fix from Al Viro:
"do_dup2() out-of-bounds array speculation fix"
* tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
protect the fetch of ->fd[fd] in do_dup2() from mispredictions
| -rw-r--r-- | fs/file.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/file.c b/fs/file.c index a3b72aa64f11..a11e59b5d602 100644 --- a/fs/file.c +++ b/fs/file.c @@ -1248,6 +1248,7 @@ __releases(&files->file_lock) * tables and this condition does not arise without those. */ fdt = files_fdtable(files); + fd = array_index_nospec(fd, fdt->max_fds); tofree = fdt->fd[fd]; if (!tofree && fd_is_open(fd, fdt)) goto Ebusy; |