All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
	Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.4 24/44] ALSA: control: Hardening for potential Spectre v1
Date: Mon, 30 Apr 2018 12:24:35 -0700	[thread overview]
Message-ID: <20180430190947.309464317@linuxfoundation.org> (raw)
In-Reply-To: <20180430190946.093694747@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 088e861edffb84879cf0c0d1b02eda078c3a0ffe upstream.

As recently Smatch suggested, a few places in ALSA control core codes
may expand the array directly from the user-space value with
speculation:

  sound/core/control.c:1003 snd_ctl_elem_lock() warn: potential spectre issue 'kctl->vd'
  sound/core/control.c:1031 snd_ctl_elem_unlock() warn: potential spectre issue 'kctl->vd'
  sound/core/control.c:844 snd_ctl_elem_info() warn: potential spectre issue 'kctl->vd'
  sound/core/control.c:891 snd_ctl_elem_read() warn: potential spectre issue 'kctl->vd'
  sound/core/control.c:939 snd_ctl_elem_write() warn: potential spectre issue 'kctl->vd'

Although all these seem doing only the first load without further
reference, we may want to stay in a safer side, so hardening with
array_index_nospec() would still make sense.

In this patch, we put array_index_nospec() to the common
snd_ctl_get_ioff*() helpers instead of each caller.  These helpers are
also referred from some drivers, too, and basically all usages are to
calculate the array index from the user-space value, hence it's better
to cover there.

BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/sound/control.h |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/include/sound/control.h
+++ b/include/sound/control.h
@@ -22,6 +22,7 @@
  *
  */
 
+#include <linux/nospec.h>
 #include <sound/asound.h>
 
 #define snd_kcontrol_chip(kcontrol) ((kcontrol)->private_data)
@@ -147,12 +148,14 @@ int snd_ctl_get_preferred_subdevice(stru
 
 static inline unsigned int snd_ctl_get_ioffnum(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
 {
-	return id->numid - kctl->id.numid;
+	unsigned int ioff = id->numid - kctl->id.numid;
+	return array_index_nospec(ioff, kctl->count);
 }
 
 static inline unsigned int snd_ctl_get_ioffidx(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
 {
-	return id->index - kctl->id.index;
+	unsigned int ioff = id->index - kctl->id.index;
+	return array_index_nospec(ioff, kctl->count);
 }
 
 static inline unsigned int snd_ctl_get_ioff(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)

  parent reply	other threads:[~2018-04-30 19:24 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-30 19:24 [PATCH 4.4 00/44] 4.4.131-stable review Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 01/44] ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 02/44] ext4: set h_journal if there is a failure starting a reserved handle Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 03/44] ext4: add validity checks for bitmap block numbers Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 04/44] ext4: fix bitmap position validation Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 05/44] usbip: usbip_host: fix to hold parent lock for device_attach() calls Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 06/44] usbip: vhci_hcd: Fix usb device and sockfd leaks Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 07/44] USB: serial: simple: add libtransistor console Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 08/44] USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 09/44] USB: serial: cp210x: add ID for NI USB serial console Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 10/44] usb: core: Add quirk for HP v222w 16GB Mini Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 11/44] USB: Increment wakeup count on remote wakeup Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 12/44] ALSA: usb-audio: Skip broken EU on Dell dock USB-audio Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 13/44] virtio: add ability to iterate over vqs Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 14/44] virtio_console: free buffers after reset Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 15/44] drm/virtio: fix vq wait_event condition Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 16/44] tty: Dont call panic() at tty_ldisc_init() Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 17/44] tty: n_gsm: Fix long delays with control frame timeouts in ADM mode Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 18/44] tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 19/44] tty: Use __GFP_NOFAIL for tty_ldisc_get() Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 20/44] ALSA: opl3: Hardening for potential Spectre v1 Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 21/44] ALSA: asihpi: " Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 22/44] ALSA: hdspm: " Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 23/44] ALSA: rme9652: " Greg Kroah-Hartman
2018-04-30 19:24 ` Greg Kroah-Hartman [this message]
2018-04-30 19:24 ` [PATCH 4.4 25/44] ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 26/44] ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 27/44] ALSA: seq: oss: Hardening for potential Spectre v1 Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 28/44] ALSA: hda: " Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 29/44] ALSA: hda/realtek - Add some fixes for ALC233 Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 30/44] mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 31/44] mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 32/44] mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 33/44] kobject: dont use WARN for registration failures Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 34/44] scsi: sd: Defer spinning up drive while SANITIZE is in progress Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 35/44] ARM: amba: Make driver_override output consistent with other buses Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 36/44] ARM: amba: Fix race condition with driver_override Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 37/44] ARM: amba: Dont read past the end of sysfs "driver_override" buffer Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 38/44] ASoC: fsl_esai: Fix divisor calculation failure at lower ratio Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 39/44] libceph: validate con->state at the top of try_write() Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 40/44] x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 41/44] x86/smpboot: Dont use mwait_play_dead() on AMD systems Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 42/44] serial: mctrl_gpio: export mctrl_gpio_disable_ms and mctrl_gpio_init Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 43/44] serial: mctrl_gpio: Add missing module license Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 44/44] ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode Greg Kroah-Hartman
2018-04-30 23:56   ` Sriram R
2018-05-01 15:01     ` Greg Kroah-Hartman
2018-04-30 23:55 ` [PATCH 4.4 00/44] 4.4.131-stable review Nathan Chancellor
2018-05-01 15:03   ` Greg Kroah-Hartman
2018-05-01  3:24 ` kernelci.org bot
2018-05-01 13:19 ` Guenter Roeck
2018-05-01 14:22 ` Dan Rue
2018-05-01 19:08 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180430190947.309464317@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.