| From 2b1d9c8f87235f593826b9cf46ec10247741fff9 Mon Sep 17 00:00:00 2001 |
| From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> |
| Date: Wed, 20 Mar 2019 16:15:24 -0500 |
| Subject: ALSA: rawmidi: Fix potential Spectre v1 vulnerability |
| |
| From: Gustavo A. R. Silva <gustavo@embeddedor.com> |
| |
| commit 2b1d9c8f87235f593826b9cf46ec10247741fff9 upstream. |
| |
| info->stream is indirectly controlled by user-space, hence leading to |
| a potential exploitation of the Spectre variant 1 vulnerability. |
| |
| This issue was detected with the help of Smatch: |
| |
| sound/core/rawmidi.c:604 __snd_rawmidi_info_select() warn: potential spectre issue 'rmidi->streams' [r] (local cap) |
| |
| Fix this by sanitizing info->stream before using it to index |
| rmidi->streams. |
| |
| Notice that given that speculation windows are large, the policy is |
| to kill the speculation on the first load and not worry if it can be |
| completed with a dependent load/store [1]. |
| |
| [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ |
| |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/core/rawmidi.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/sound/core/rawmidi.c |
| +++ b/sound/core/rawmidi.c |
| @@ -29,6 +29,7 @@ |
| #include <linux/mutex.h> |
| #include <linux/module.h> |
| #include <linux/delay.h> |
| +#include <linux/nospec.h> |
| #include <sound/rawmidi.h> |
| #include <sound/info.h> |
| #include <sound/control.h> |
| @@ -591,6 +592,7 @@ static int __snd_rawmidi_info_select(str |
| return -ENXIO; |
| if (info->stream < 0 || info->stream > 1) |
| return -EINVAL; |
| + info->stream = array_index_nospec(info->stream, 2); |
| pstr = &rmidi->streams[info->stream]; |
| if (pstr->substream_count == 0) |
| return -ENOENT; |
