| From c709f14f0616482b67f9fbcb965e1493a03ff30b Mon Sep 17 00:00:00 2001 |
| From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> |
| Date: Wed, 20 Mar 2019 18:42:01 -0500 |
| Subject: ALSA: seq: oss: Fix Spectre v1 vulnerability |
| |
| From: Gustavo A. R. Silva <gustavo@embeddedor.com> |
| |
| commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream. |
| |
| dev is indirectly controlled by user-space, hence leading to |
| a potential exploitation of the Spectre variant 1 vulnerability. |
| |
| This issue was detected with the help of Smatch: |
| |
| sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap) |
| |
| Fix this by sanitizing dev before using it to index dp->synths. |
| |
| Notice that given that speculation windows are large, the policy is |
| to kill the speculation on the first load and not worry if it can be |
| completed with a dependent load/store [1]. |
| |
| [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ |
| |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/core/seq/oss/seq_oss_synth.c | 7 ++++--- |
| 1 file changed, 4 insertions(+), 3 deletions(-) |
| |
| --- a/sound/core/seq/oss/seq_oss_synth.c |
| +++ b/sound/core/seq/oss/seq_oss_synth.c |
| @@ -617,13 +617,14 @@ int |
| snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf) |
| { |
| struct seq_oss_synth *rec; |
| + struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); |
| |
| - if (dev < 0 || dev >= dp->max_synthdev) |
| + if (!info) |
| return -ENXIO; |
| |
| - if (dp->synths[dev].is_midi) { |
| + if (info->is_midi) { |
| struct midi_info minf; |
| - snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf); |
| + snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf); |
| inf->synth_type = SYNTH_TYPE_MIDI; |
| inf->synth_subtype = 0; |
| inf->nr_voices = 16; |