aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-04-24 02:01:48 -0400
committerTakashi Iwai <tiwai@suse.de>2018-04-25 04:37:47 -0400
commitf9d94b57e30fd1575b4935045b32d738668aa74b (patch)
tree14fed608682d7de7c2a66245a06b6e79a1b39b14
parent7f054a5bee0987f1e2d4e59daea462421c76f2cb (diff)
ALSA: asihpi: Hardening for potential Spectre v1
As recently Smatch suggested, a couple of places in ASIHPI driver may expand the array directly from the user-space value with speculation: sound/pci/asihpi/hpimsginit.c:70 hpi_init_response() warn: potential spectre issue 'res_size' (local cap) sound/pci/asihpi/hpioctl.c:189 asihpi_hpi_ioctl() warn: potential spectre issue 'adapters' This patch puts array_index_nospec() for hardening against them. BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2 Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat
-rw-r--r--sound/pci/asihpi/hpimsginit.c13
-rw-r--r--sound/pci/asihpi/hpioctl.c4
2 files changed, 12 insertions, 5 deletions
diff --git a/sound/pci/asihpi/hpimsginit.c b/sound/pci/asihpi/hpimsginit.c
index 7eb617175fde..a31a70dccecf 100644
--- a/sound/pci/asihpi/hpimsginit.c
+++ b/sound/pci/asihpi/hpimsginit.c
@@ -23,6 +23,7 @@
23 23
24#include "hpi_internal.h" 24#include "hpi_internal.h"
25#include "hpimsginit.h" 25#include "hpimsginit.h"
26#include <linux/nospec.h>
26 27
27/* The actual message size for each object type */ 28/* The actual message size for each object type */
28static u16 msg_size[HPI_OBJ_MAXINDEX + 1] = HPI_MESSAGE_SIZE_BY_OBJECT; 29static u16 msg_size[HPI_OBJ_MAXINDEX + 1] = HPI_MESSAGE_SIZE_BY_OBJECT;
@@ -39,10 +40,12 @@ static void hpi_init_message(struct hpi_message *phm, u16 object,
39{ 40{
40 u16 size; 41 u16 size;
41 42
42 if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) 43 if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
44 object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
43 size = msg_size[object]; 45 size = msg_size[object];
44 else 46 } else {
45 size = sizeof(*phm); 47 size = sizeof(*phm);
48 }
46 49
47 memset(phm, 0, size); 50 memset(phm, 0, size);
48 phm->size = size; 51 phm->size = size;
@@ -66,10 +69,12 @@ void hpi_init_response(struct hpi_response *phr, u16 object, u16 function,
66{ 69{
67 u16 size; 70 u16 size;
68 71
69 if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) 72 if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
73 object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
70 size = res_size[object]; 74 size = res_size[object];
71 else 75 } else {
72 size = sizeof(*phr); 76 size = sizeof(*phr);
77 }
73 78
74 memset(phr, 0, sizeof(*phr)); 79 memset(phr, 0, sizeof(*phr));
75 phr->size = size; 80 phr->size = size;
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 5badd08e1d69..b1a2a7ea4172 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -33,6 +33,7 @@
33#include <linux/stringify.h> 33#include <linux/stringify.h>
34#include <linux/module.h> 34#include <linux/module.h>
35#include <linux/vmalloc.h> 35#include <linux/vmalloc.h>
36#include <linux/nospec.h>
36 37
37#ifdef MODULE_FIRMWARE 38#ifdef MODULE_FIRMWARE
38MODULE_FIRMWARE("asihpi/dsp5000.bin"); 39MODULE_FIRMWARE("asihpi/dsp5000.bin");
@@ -186,7 +187,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
186 struct hpi_adapter *pa = NULL; 187 struct hpi_adapter *pa = NULL;
187 188
188 if (hm->h.adapter_index < ARRAY_SIZE(adapters)) 189 if (hm->h.adapter_index < ARRAY_SIZE(adapters))
189 pa = &adapters[hm->h.adapter_index]; 190 pa = &adapters[array_index_nospec(hm->h.adapter_index,
191 ARRAY_SIZE(adapters))];
190 192
191 if (!pa || !pa->adapter || !pa->adapter->type) { 193 if (!pa || !pa->adapter || !pa->adapter->type) {
192 hpi_init_response(&hr->r0, hm->h.object, 194 hpi_init_response(&hr->r0, hm->h.object,
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-26 12:59:48 -0500