From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.4 21/44] ALSA: asihpi: Hardening for potential Spectre v1
Date: Mon, 30 Apr 2018 12:24:32 -0700 [thread overview]
Message-ID: <20180430190947.189947288@linuxfoundation.org> (raw)
In-Reply-To: <20180430190946.093694747@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit f9d94b57e30fd1575b4935045b32d738668aa74b upstream.
As recently Smatch suggested, a couple of places in ASIHPI driver may
expand the array directly from the user-space value with speculation:
sound/pci/asihpi/hpimsginit.c:70 hpi_init_response() warn: potential spectre issue 'res_size' (local cap)
sound/pci/asihpi/hpioctl.c:189 asihpi_hpi_ioctl() warn: potential spectre issue 'adapters'
This patch puts array_index_nospec() for hardening against them.
BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/asihpi/hpimsginit.c | 13 +++++++++----
sound/pci/asihpi/hpioctl.c | 4 +++-
2 files changed, 12 insertions(+), 5 deletions(-)
--- a/sound/pci/asihpi/hpimsginit.c
+++ b/sound/pci/asihpi/hpimsginit.c
@@ -23,6 +23,7 @@
#include "hpi_internal.h"
#include "hpimsginit.h"
+#include <linux/nospec.h>
/* The actual message size for each object type */
static u16 msg_size[HPI_OBJ_MAXINDEX + 1] = HPI_MESSAGE_SIZE_BY_OBJECT;
@@ -39,10 +40,12 @@ static void hpi_init_message(struct hpi_
{
u16 size;
- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX))
+ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
+ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
size = msg_size[object];
- else
+ } else {
size = sizeof(*phm);
+ }
memset(phm, 0, size);
phm->size = size;
@@ -66,10 +69,12 @@ void hpi_init_response(struct hpi_respon
{
u16 size;
- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX))
+ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
+ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
size = res_size[object];
- else
+ } else {
size = sizeof(*phr);
+ }
memset(phr, 0, sizeof(*phr));
phr->size = size;
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -33,6 +33,7 @@
#include <linux/stringify.h>
#include <linux/module.h>
#include <linux/vmalloc.h>
+#include <linux/nospec.h>
#ifdef MODULE_FIRMWARE
MODULE_FIRMWARE("asihpi/dsp5000.bin");
@@ -182,7 +183,8 @@ long asihpi_hpi_ioctl(struct file *file,
struct hpi_adapter *pa = NULL;
if (hm->h.adapter_index < ARRAY_SIZE(adapters))
- pa = &adapters[hm->h.adapter_index];
+ pa = &adapters[array_index_nospec(hm->h.adapter_index,
+ ARRAY_SIZE(adapters))];
if (!pa || !pa->adapter || !pa->adapter->type) {
hpi_init_response(&hr->r0, hm->h.object,
next prev parent reply other threads:[~2018-04-30 19:26 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-30 19:24 [PATCH 4.4 00/44] 4.4.131-stable review Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 01/44] ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 02/44] ext4: set h_journal if there is a failure starting a reserved handle Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 03/44] ext4: add validity checks for bitmap block numbers Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 04/44] ext4: fix bitmap position validation Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 05/44] usbip: usbip_host: fix to hold parent lock for device_attach() calls Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 06/44] usbip: vhci_hcd: Fix usb device and sockfd leaks Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 07/44] USB: serial: simple: add libtransistor console Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 08/44] USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 09/44] USB: serial: cp210x: add ID for NI USB serial console Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 10/44] usb: core: Add quirk for HP v222w 16GB Mini Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 11/44] USB: Increment wakeup count on remote wakeup Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 12/44] ALSA: usb-audio: Skip broken EU on Dell dock USB-audio Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 13/44] virtio: add ability to iterate over vqs Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 15/44] drm/virtio: fix vq wait_event condition Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 16/44] tty: Dont call panic() at tty_ldisc_init() Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 17/44] tty: n_gsm: Fix long delays with control frame timeouts in ADM mode Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 18/44] tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 19/44] tty: Use __GFP_NOFAIL for tty_ldisc_get() Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 20/44] ALSA: opl3: Hardening for potential Spectre v1 Greg Kroah-Hartman
2018-04-30 19:24 ` Greg Kroah-Hartman [this message]
2018-04-30 19:24 ` [PATCH 4.4 22/44] ALSA: hdspm: " Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 23/44] ALSA: rme9652: " Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 24/44] ALSA: control: " Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 25/44] ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 26/44] ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 27/44] ALSA: seq: oss: Hardening for potential Spectre v1 Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 28/44] ALSA: hda: " Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 29/44] ALSA: hda/realtek - Add some fixes for ALC233 Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 30/44] mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 31/44] mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 32/44] mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 33/44] kobject: dont use WARN for registration failures Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 34/44] scsi: sd: Defer spinning up drive while SANITIZE is in progress Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 35/44] ARM: amba: Make driver_override output consistent with other buses Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 36/44] ARM: amba: Fix race condition with driver_override Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 37/44] ARM: amba: Dont read past the end of sysfs "driver_override" buffer Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 38/44] ASoC: fsl_esai: Fix divisor calculation failure at lower ratio Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 39/44] libceph: validate con->state at the top of try_write() Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 40/44] x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 41/44] x86/smpboot: Dont use mwait_play_dead() on AMD systems Greg Kroah-Hartman
2018-04-30 19:24 ` [PATCH 4.4 44/44] ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode Greg Kroah-Hartman
2018-04-30 23:56 ` Sriram R
2018-05-01 15:01 ` Greg Kroah-Hartman
2018-04-30 23:55 ` [PATCH 4.4 00/44] 4.4.131-stable review Nathan Chancellor
2018-05-01 15:03 ` Greg Kroah-Hartman
2018-05-01 13:19 ` Guenter Roeck
2018-05-01 14:22 ` Dan Rue
2018-05-01 19:08 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180430190947.189947288@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).