commit 25fd7ee7bf58ac3ec7be3c9f82ceff153451946c · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

riscv: Sanitize syscall table indexing under speculation

The syscall number is a user-controlled value used to index into the
syscall table. Use array_index_nospec() to clamp this value after the
bounds check to prevent speculative out-of-bounds access and subsequent
data leakage via cache side channels.

Signed-off-by: Lukas Gerlach <lukas.gerlach@cispa.de>
Link: https://patch.msgid.link/20251218191332.35849-3-lukas.gerlach@cispa.de
Signed-off-by: Paul Walmsley <pjw@kernel.org>

authored by Lukas Gerlach and committed by Paul Walmsley 1 week ago 25fd7ee7 66562b66

options

unified split

Changed files

+3 -1

arch

riscv

kernel

traps.c

+3 -1

arch/riscv/kernel/traps.c

··· 339 339 340 340 add_random_kstack_offset(); 341 341 342 - if (syscall >= 0 && syscall < NR_syscalls) 342 + if (syscall >= 0 && syscall < NR_syscalls) { 343 + syscall = array_index_nospec(syscall, NR_syscalls); 343 344 syscall_handler(regs, syscall); 345 + } 344 346 345 347 /* 346 348 * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),