Developers of the Grsecurity project a cautionary tale demonstrating how thoughtless elimination of compiler warnings can lead to vulnerabilities in the code. At the end of May, a fix was proposed for the Linux kernel for a new vector of exploitation of the Specter vulnerability through the ptrace system call.
While testing the patch, the developers noticed that when building, the compiler displays a warning about mixing code and definitions (the structure was defined after the code, assigning a value to an existing variable):
int index = n;
if (n < HBP_NUM) { index = array_index_nospec(index, HBP_NUM); struct perf_event *bp = thread->ptrace_bps[index];
Linus accepted to your master branch, from the warning by moving the variable definition to an if block:
if (n < HBP_NUM) { int index = array_index_nospec(n, HBP_NUM); struct perf_event *bp = thread->ptrace_bps[index];
In July, the fix was also ported to the stable kernel branches 4.4, 4.9, 4.14, 4.19 and 5.2. The maintainers of the stable branches also encountered the warning and, instead of checking to see if it had already been fixed in Linus's master branch, they made a fix themselves. The problem is that without really thinking about it, they just defining the structure up, so that the call to array_index_nospec, which directly provides protection against the vulnerability, is no longer used when defining the structure, and instead of the variable "index" the variable "n" is always used:
int index = n;
if (n < HBP_NUM ){ struct perf_event *bp = thread->ptrace_bps[index];
index = array_index_nospec(index, HBP_NUM);
Source: opennet.ru