Linus Torvalds writes: (Summary)
Here's a test: run a 32-bit kernel, and then do an ioctl() or
something with a negative fd.
something with a negative fd.
What I think will happen is:
What I think will happen is:
- the negative fd will be seen as a big 'unsigned int' here: - the negative fd will be seen as a big 'unsigned int' here: fcheck_files(struct files_struct *files, unsigned int fd) fcheck_files(struct files_struct *files, unsigned int fd) which then does
which then does
fd = array_index_nospec(fd, fdt->max_fds);
fd = array_index_nospec(fd, fdt->max_fds);
and that existing *STUPID* and *WRONG* WARN_ON() will trigger.
something with a negative fd.
What I think will happen is:
What I think will happen is:
- the negative fd will be seen as a big 'unsigned int' here: - the negative fd will be seen as a big 'unsigned int' here: fcheck_files(struct files_struct *files, unsigned int fd) fcheck_files(struct files_struct *files, unsigned int fd) which then does
which then does
fd = array_index_nospec(fd, fdt->max_fds);
fd = array_index_nospec(fd, fdt->max_fds);
and that existing *STUPID* and *WRONG* WARN_ON() will trigger.