Commit 25fd7ee7 authored Dec 18, 2025 by Lukas Gerlach Committed by Paul Walmsley Dec 30, 2025

riscv: Sanitize syscall table indexing under speculation



The syscall number is a user-controlled value used to index into the
syscall table. Use array_index_nospec() to clamp this value after the
bounds check to prevent speculative out-of-bounds access and subsequent
data leakage via cache side channels.

Signed-off-by: Lukas Gerlach <lukas.gerlach@cispa.de>
Link: https://patch.msgid.link/20251218191332.35849-3-lukas.gerlach@cispa.de


Signed-off-by: Paul Walmsley <pjw@kernel.org>

parent 66562b66

arch/riscv/kernel/traps.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -339,8 +339,10 @@ void do_trap_ecall_u(struct pt_regs *regs)

		add_random_kstack_offset();

		if (syscall >= 0 && syscall < NR_syscalls)
		if (syscall >= 0 && syscall < NR_syscalls) {
		syscall = array_index_nospec(syscall, NR_syscalls);
		syscall_handler(regs, syscall);
		}

		/*
		* Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),