From patchwork Tue Oct 8 06:10:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Hicks X-Patchwork-Id: 1173108 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46nRmQ1SVBz9sPT; Tue, 8 Oct 2019 17:10:46 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1iHihm-0006zb-32; Tue, 08 Oct 2019 06:10:42 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iHihk-0006zF-31 for kernel-team@lists.ubuntu.com; Tue, 08 Oct 2019 06:10:40 +0000 Received: from 2.general.tyhicks.us.vpn ([10.172.64.53] helo=sec.work.tihix.com) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iHihj-0006SO-O3; Tue, 08 Oct 2019 06:10:39 +0000 From: Tyler Hicks To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/1] UBUNTU: SAUCE: Fix posix clock speculation mitigation backport Date: Tue, 8 Oct 2019 06:10:15 +0000 Message-Id: <20191008061015.23059-2-tyhicks@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191008061015.23059-1-tyhicks@canonical.com> References: <20191008061015.23059-1-tyhicks@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://launchpad.net/bugs/1847189 The Ubuntu Xenial backport of upstream commit 19b558db12f9 ("posix-timers: Protect posix clock array access against speculation") incorrectly dropped the NULL check on the .clock_getres function pointer. Readd the NULL check while still protecting against side-channel speculation attacks when indexing into the posix_clocks array to perform that NULL check. The NULL check protects against a denial of service (system crash) or possible arbitrary code execution that can be triggered by clock_gettime(10, 0), as pointed out by Vitaly Nikolenko. Fixes: eb4a3a43d161 ("posix-timers: Protect posix clock array access against speculation") Signed-off-by: Tyler Hicks --- kernel/time/posix-timers.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c index fef13152b372..6e0ac1e7494e 100644 --- a/kernel/time/posix-timers.c +++ b/kernel/time/posix-timers.c @@ -606,7 +606,11 @@ static struct k_clock *clockid_to_kclock(const clockid_t id) if (id >= MAX_CLOCKS) return NULL; - return &posix_clocks[array_index_nospec(idx, MAX_CLOCKS)]; + idx = array_index_nospec(idx, MAX_CLOCKS); + if (!posix_clocks[idx].clock_getres) + return NULL; + + return &posix_clocks[idx]; } static int common_timer_create(struct k_itimer *new_timer)