github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-27 00:22:00 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

riscv: Sanitize syscall table indexing under speculation

Browse Source 
The syscall number is a user-controlled value used to index into the
syscall table. Use array_index_nospec() to clamp this value after the
bounds check to prevent speculative out-of-bounds access and subsequent
data leakage via cache side channels.

Signed-off-by: Lukas Gerlach <lukas.gerlach@cispa.de>
Link: https://patch.msgid.link/20251218191332.35849-3-lukas.gerlach@cispa.de
Signed-off-by: Paul Walmsley <pjw@kernel.org>
This commit is contained in:
Lukas Gerlach 2025-12-18 20:13:32 +01:00 committed by Paul Walmsley
parent 66562b66dc
commit 25fd7ee7bf
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
arch/riscv/kernel/traps.c
View File

@ -339,8 +339,10 @@ void do_trap_ecall_u(struct pt_regs *regs)
add_random_kstack_offset();
if (syscall >= 0 && syscall < NR_syscalls)
if (syscall >= 0 && syscall < NR_syscalls) {
syscall = array_index_nospec(syscall, NR_syscalls);
syscall_handler(regs, syscall);
}
/*
* Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),