x86/syscall: Sanitize syscall table de-references under speculation

[pandora-kernel.git] / arch / x86 / kernel / entry_64.S

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index a2b14db..e992680 100644 (file)
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -517,8 +517,10 @@ ENTRY(system_call_after_swapgs)
        testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%rcx)
        jnz tracesys
 system_call_fastpath:
-       cmpq $__NR_syscall_max,%rax
-       ja badsys
+       cmpq    $NR_syscalls, %rax
+       jae     badsys
+       sbb     %rcx, %rcx                      /* array_index_mask_nospec() */
+       and     %rcx, %rax
        movq %r10,%rcx
 #ifdef CONFIG_RETPOLINE
        movq    sys_call_table(, %rax, 8), %rax
@@ -646,8 +648,10 @@ tracesys:
         */
        LOAD_ARGS ARGOFFSET, 1
        RESTORE_REST
-       cmpq $__NR_syscall_max,%rax
-       ja   int_ret_from_sys_call      /* RAX(%rsp) set to -ENOSYS above */
+       cmpq    $NR_syscalls, %rax
+       jae     int_ret_from_sys_call           /* RAX(%rsp) set to -ENOSYS above */
+       sbb     %rcx, %rcx                      /* array_index_mask_nospec() */
+       and     %rcx, %rax
        movq %r10,%rcx  /* fixup for C */
 #ifdef CONFIG_RETPOLINE
        movq    sys_call_table(, %rax, 8), %rax