fs: prevent out-of-bounds array speculation when closing a file descriptor

commit 609d544414 upstream. Google-Bug-Id: 114199369 Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-03-06 13:54:50 -05:00 · 2023-03-06 13:54:50 -05:00 · f8cd8754a0
--- a/fs/file.c
+++ b/fs/file.c
@ -646,6 +646,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
 		file = ERR_PTR(-EINVAL);
 		goto out_unlock;
 	}
+	fd = array_index_nospec(fd, fdt->max_fds);
 	file = fdt->fd[fd];
 	if (!file) {
 		file = ERR_PTR(-EBADF);