diff options
| author | Lukas Gerlach <lukas.gerlach@cispa.de> | 2026-02-28 14:27:27 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-03-25 11:06:00 +0100 |
| commit | 33743ec6679aa364ee19d1afbaa50593e9e6e443 (patch) | |
| tree | a225b7f8367bdd3af95be6630f6d569b1ed5f9c0 | |
| parent | 4357e02cafabe01c2d737ceb4c4c6382fc2ee10a (diff) | |
riscv: Sanitize syscall table indexing under speculation
[ Upstream commit 25fd7ee7bf58ac3ec7be3c9f82ceff153451946c ]
The syscall number is a user-controlled value used to index into the
syscall table. Use array_index_nospec() to clamp this value after the
bounds check to prevent speculative out-of-bounds access and subsequent
data leakage via cache side channels.
Signed-off-by: Lukas Gerlach <lukas.gerlach@cispa.de>
Link: https://patch.msgid.link/20251218191332.35849-3-lukas.gerlach@cispa.de
Signed-off-by: Paul Walmsley <pjw@kernel.org>
[ Added linux/nospec.h for array_index_nospec() to make sure compile without error ]
Signed-off-by: Leon Chen <leonchen.oss@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | arch/riscv/kernel/traps.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 53c7de4878c2..314c4d7671ca 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -20,6 +20,7 @@ #include <linux/irq.h> #include <linux/kexec.h> #include <linux/entry-common.h> +#include <linux/nospec.h> #include <asm/asm-prototypes.h> #include <asm/bug.h> @@ -317,8 +318,10 @@ asmlinkage __visible __trap_section void do_trap_ecall_u(struct pt_regs *regs) syscall = syscall_enter_from_user_mode(regs, syscall); - if (syscall >= 0 && syscall < NR_syscalls) + if (syscall >= 0 && syscall < NR_syscalls) { + syscall = array_index_nospec(syscall, NR_syscalls); syscall_handler(regs, syscall); + } syscall_exit_to_user_mode(regs); } else { |