[1/1] UBUNTU: SAUCE: Fix posix clock speculation mitigation backport
diff mbox series

Message ID 20191008061015.23059-2-tyhicks@canonical.com
State New
Headers show
Series
  • Bad posix clock speculation mitigation backport (LP: #1847189)
Related show

Commit Message

Tyler Hicks Oct. 8, 2019, 6:10 a.m. UTC
BugLink: https://launchpad.net/bugs/1847189

The Ubuntu Xenial backport of upstream commit 19b558db12f9
("posix-timers: Protect posix clock array access against speculation")
incorrectly dropped the NULL check on the .clock_getres function
pointer. Readd the NULL check while still protecting against
side-channel speculation attacks when indexing into the posix_clocks
array to perform that NULL check.

The NULL check protects against a denial of service (system crash) or
possible arbitrary code execution that can be triggered by
clock_gettime(10, 0), as pointed out by Vitaly Nikolenko.

Fixes: eb4a3a43d161 ("posix-timers: Protect posix clock array access against speculation")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 kernel/time/posix-timers.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Patch
diff mbox series

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index fef13152b372..6e0ac1e7494e 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -606,7 +606,11 @@  static struct k_clock *clockid_to_kclock(const clockid_t id)
 	if (id >= MAX_CLOCKS)
 		return NULL;
 
-	return &posix_clocks[array_index_nospec(idx, MAX_CLOCKS)];
+	idx = array_index_nospec(idx, MAX_CLOCKS);
+	if (!posix_clocks[idx].clock_getres)
+		return NULL;
+
+	return &posix_clocks[idx];
 }
 
 static int common_timer_create(struct k_itimer *new_timer)