Draft: CVE-2024-42265: protect the fetch of ->fdfd] in do_dup2() from mispredictions (!5057) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

CKI Backport Bot requested to merge redhat/red-hat-ci-tools/kernel/bot-branches/centos-stream-9:backport-RHEL-55126-centos-stream-9-main into main Aug 19, 2024

JIRA: https://issues.redhat.com/browse/RHEL-55126
CVE: CVE-2024-42265

protect the fetch of ->fd[fd] in do_dup2() from mispredictions

both callers have verified that fd is not greater than ->max_fds;
however, misprediction might end up with
        tofree = fdt->fd[fd];
being speculatively executed.  That's wrong for the same reasons
why it's wrong in close_fd()/file_close_fd_locked(); the same
solution applies - array_index_nospec(fd, fdt->max_fds) could differ
from fd only in case of speculative execution on mispredicted path.

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 8aa37bde1a7b645816cda8b80df4753ecf172bf1)

Signed-off-by: CKI Backport Bot cki-ci-bot+cki-gitlab-backport-bot@redhat.com

Draft: CVE-2024-42265: protect the fetch of -&gt;fdfd] in do_dup2() from mispredictions

Merge request reports

Draft: CVE-2024-42265: protect the fetch of ->fdfd] in do_dup2() from mispredictions