git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Tue, 24 Apr 2018 05:45:56 +0000 (07:45 +0200)
committer	Stefan Bader <stefan.bader@canonical.com>
	Tue, 14 Aug 2018 10:24:02 +0000 (12:24 +0200)
commit	e2ff7e1df320b5344cce6b57e72bd4cd5b5180b5
tree	6a2ba8418d0efe9e0e638ecb177f67c4f999bc9d	tree
parent	ef6e01a6d1d799ac1e30ab3442e762a197339709	commit \| diff

ALSA: control: Hardening for potential Spectre v1

BugLink: http://bugs.launchpad.net/bugs/1778265
commit 088e861edffb84879cf0c0d1b02eda078c3a0ffe upstream.

As recently Smatch suggested, a few places in ALSA control core codes
may expand the array directly from the user-space value with
speculation:

  sound/core/control.c:1003 snd_ctl_elem_lock() warn: potential spectre issue 'kctl->vd'
  sound/core/control.c:1031 snd_ctl_elem_unlock() warn: potential spectre issue 'kctl->vd'
  sound/core/control.c:844 snd_ctl_elem_info() warn: potential spectre issue 'kctl->vd'
  sound/core/control.c:891 snd_ctl_elem_read() warn: potential spectre issue 'kctl->vd'
  sound/core/control.c:939 snd_ctl_elem_write() warn: potential spectre issue 'kctl->vd'

Although all these seem doing only the first load without further
reference, we may want to stay in a safer side, so hardening with
array_index_nospec() would still make sense.

In this patch, we put array_index_nospec() to the common
snd_ctl_get_ioff*() helpers instead of each caller.  These helpers are
also referred from some drivers, too, and basically all usages are to
calculate the array index from the user-space value, hence it's better
to cover there.

BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>