On Thu, 1 Nov 2018, Cyrill Gorcunov wrote:
> When showing timer's notify symbolic name make sure we never fetch a value
> sitting outside of the names array. Though the former issue displaying
> timer->it_sigev_notify has been fixed by Thomas in commit cef31d9af9082434,
> better to make sure we won't hit it again in furher modifications.
>
> Cc: Andrey Vagin <ava...@gmail.com>
> Cc: Thomas Gleixner <t...@linutronix.de>
> Signed-off-by: Cyrill Gorcunov <gorcu...@gmail.com>
> ---
> fs/proc/base.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> Index: linux-ml.git/fs/proc/base.c
> ===================================================================
> --- linux-ml.git.orig/fs/proc/base.c
> +++ linux-ml.git/fs/proc/base.c
> @@ -2287,7 +2287,7 @@ static int show_timer(struct seq_file *m
> {
> struct k_itimer *timer;
> struct timers_private *tp = m->private;
> - int notify;
> + int notify, nidx;
> static const char * const nstr[] = {
> [SIGEV_SIGNAL] = "signal",
> [SIGEV_NONE] = "none",
> @@ -2296,13 +2296,13 @@ static int show_timer(struct seq_file *m
>
> timer = list_entry((struct list_head *)v, struct k_itimer, list);
> notify = timer->it_sigev_notify;
> + nidx = array_index_nospec(notify & ~SIGEV_THREAD_ID, ARRAY_SIZE(nstr));
I completely understand your intention, but this is misleading. The above
is really not a speculation gadget.
I'd rather do an open coded check here and fail the thing instead of
printing wrong information:
nidx = timer->it_sigev_notify & ~SIGEV_THREAD_ID;
if (nidx >= ARRAY_SIZE(nstr))
return -EINVAL;
Thanks,
tglx
