| From 7f054a5bee0987f1e2d4e59daea462421c76f2cb Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Tue, 24 Apr 2018 07:56:07 +0200 |
| Subject: ALSA: opl3: Hardening for potential Spectre v1 |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit 7f054a5bee0987f1e2d4e59daea462421c76f2cb upstream. |
| |
| As recently Smatch suggested, one place in OPL3 driver may expand the |
| array directly from the user-space value with speculation: |
| sound/drivers/opl3/opl3_synth.c:476 snd_opl3_set_voice() warn: potential spectre issue 'snd_opl3_regmap' |
| |
| This patch puts array_index_nospec() for hardening against it. |
| |
| BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2 |
| Reported-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/drivers/opl3/opl3_synth.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| --- a/sound/drivers/opl3/opl3_synth.c |
| +++ b/sound/drivers/opl3/opl3_synth.c |
| @@ -21,6 +21,7 @@ |
| |
| #include <linux/slab.h> |
| #include <linux/export.h> |
| +#include <linux/nospec.h> |
| #include <sound/opl3.h> |
| #include <sound/asound_fm.h> |
| |
| @@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd |
| { |
| unsigned short reg_side; |
| unsigned char op_offset; |
| - unsigned char voice_offset; |
| + unsigned char voice_offset, voice_op; |
| |
| unsigned short opl3_reg; |
| unsigned char reg_val; |
| @@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd |
| voice_offset = voice->voice - MAX_OPL2_VOICES; |
| } |
| /* Get register offset of operator */ |
| - op_offset = snd_opl3_regmap[voice_offset][voice->op]; |
| + voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES); |
| + voice_op = array_index_nospec(voice->op, 4); |
| + op_offset = snd_opl3_regmap[voice_offset][voice_op]; |
| |
| reg_val = 0x00; |
| /* Set amplitude modulation (tremolo) effect */ |