diff options
author | Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> | 2023-04-11 19:45:32 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-04-20 14:11:33 +0200 |
commit | 2b3174c96696cde676393474f0e01d0d108462f5 (patch) | |
tree | a81a0ae7a4f0ff1c08bff6d31c0d621653f6e39a /drivers/tty | |
parent | f91cf1a30255d81cf1d8992974ec0a9c0fd4a771 (diff) |
n_gsm: Use array_index_nospec() with index that comes from userspace
dc.channel used for indexing comes directly from copy_from_user(). Use
array_index_nospec() to mitigate speculative side-channel.
Link: https://lore.kernel.org/linux-serial/64306d13.ONswMlyWlVKLGkKR%25lkp@intel.com/
Cc: stable <stable@kernel.org>
Fixes: afe3154ba87e ("tty: n_gsm: add ioctl for DLC config via ldisc handle")
Reported-by: kernel test robot <lkp@intel.com>
Reviewed-by: Daniel Starke <daniel.starke@siemens.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20230411164532.64175-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/tty')
-rw-r--r-- | drivers/tty/n_gsm.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index c42c8b89fd46..b411a26cc092 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -42,6 +42,7 @@ #include <linux/ctype.h> #include <linux/mm.h> #include <linux/math.h> +#include <linux/nospec.h> #include <linux/string.h> #include <linux/slab.h> #include <linux/poll.h> @@ -3717,8 +3718,8 @@ static int gsmld_ioctl(struct tty_struct *tty, unsigned int cmd, struct gsm_config_ext ce; struct gsm_dlci_config dc; struct gsm_mux *gsm = tty->disc_data; + unsigned int base, addr; struct gsm_dlci *dlci; - unsigned int base; switch (cmd) { case GSMIOC_GETCONF: @@ -3747,9 +3748,10 @@ static int gsmld_ioctl(struct tty_struct *tty, unsigned int cmd, return -EFAULT; if (dc.channel == 0 || dc.channel >= NUM_DLCI) return -EINVAL; - dlci = gsm->dlci[dc.channel]; + addr = array_index_nospec(dc.channel, NUM_DLCI); + dlci = gsm->dlci[addr]; if (!dlci) { - dlci = gsm_dlci_alloc(gsm, dc.channel); + dlci = gsm_dlci_alloc(gsm, addr); if (!dlci) return -ENOMEM; } @@ -3762,9 +3764,10 @@ static int gsmld_ioctl(struct tty_struct *tty, unsigned int cmd, return -EFAULT; if (dc.channel == 0 || dc.channel >= NUM_DLCI) return -EINVAL; - dlci = gsm->dlci[dc.channel]; + addr = array_index_nospec(dc.channel, NUM_DLCI); + dlci = gsm->dlci[addr]; if (!dlci) { - dlci = gsm_dlci_alloc(gsm, dc.channel); + dlci = gsm_dlci_alloc(gsm, addr); if (!dlci) return -ENOMEM; } |