kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   a99b602ac2b8c237ced40a4769f19ed10f16288a
  2.   patches.suse
  3.   hysdn-fix-spectre-issue-in-hycapi_send_message.patch
Blob Blame History Raw 
From: Jiri Bohac <jbohac@suse.cz>
Patch-mainline: Never, problem no longer present in v5.14
References: bsc#1192802
Subject: hysdn: fix spectre issue in hycapi_send_message

Found by Smatch:
	drivers/isdn/hysdn/hycapi.c:386 hycapi_send_message() warn: potential spectre issue 'hycapi_applications' [w]
	drivers/isdn/hysdn/hycapi.c:418 hycapi_send_message() warn: potential spectre issue 'hycapi_applications' [w]
	drivers/isdn/hysdn/hycapi.c:419 hycapi_send_message() warn: potential spectre issue 'hycapi_applications' [w]
	drivers/isdn/hysdn/hycapi.c:421 hycapi_send_message() warn: potential spectre issue 'hycapi_applications' [w]

---
 drivers/isdn/hysdn/hycapi.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/isdn/hysdn/hycapi.c b/drivers/isdn/hysdn/hycapi.c
index eac0f51a0f60..e47c16d92f28 100644
--- a/drivers/isdn/hysdn/hycapi.c
+++ b/drivers/isdn/hysdn/hycapi.c
@@ -30,6 +30,7 @@
 
 #include "hysdn_defs.h"
 #include <linux/kernelcapi.h>
+#include <linux/nospec.h>
 
 static char hycapi_revision[] = "$Revision: 1.8.6.4 $";
 
@@ -54,6 +55,7 @@ static inline int _hycapi_appCheck(int app_id, int ctrl_no)
 		printk(KERN_ERR "HYCAPI: Invalid request app_id %d for controller %d", app_id, ctrl_no);
 		return -1;
 	}
+	app_id = array_index_nospec(app_id, CAPI_MAXAPPL);
 	return ((hycapi_applications[app_id - 1].ctrl_mask & (1 << (ctrl_no-1))) != 0);
 }
 
@@ -370,20 +372,21 @@ firmware-releases that do not check the MsgLen-Indication!
 
 static u16 hycapi_send_message(struct capi_ctr *ctrl, struct sk_buff *skb)
 {
-	__u16 appl_id;
+	__u16 appl_id, appl_id_safe;
 	int _len, _len2;
 	__u8 msghead[64];
 	hycapictrl_info *cinfo = ctrl->driverdata;
 	u16 retval = CAPI_NOERROR;
 
 	appl_id = CAPIMSG_APPID(skb->data);
+	appl_id_safe = array_index_nospec(appl_id, CAPI_MAXAPPL + 1);
 	switch (_hycapi_appCheck(appl_id, ctrl->cnr))
 	{
 	case 0:
 /*			printk(KERN_INFO "Need to register\n"); */
 		hycapi_register_internal(ctrl,
 					 appl_id,
-					 &(hycapi_applications[appl_id - 1].rp));
+					 &(hycapi_applications[appl_id_safe - 1].rp));
 		break;
 	case 1:
 		break;
@@ -392,6 +395,8 @@ static u16 hycapi_send_message(struct capi_ctr *ctrl, struct sk_buff *skb)
 		retval = CAPI_ILLAPPNR;
 		goto out;
 	}
+
+	appl_id = appl_id_safe;
 	switch (CAPIMSG_CMD(skb->data)) {
 	case CAPI_DISCONNECT_B3_RESP:
 		capilib_free_ncci(&cinfo->ncci_head, appl_id,
-- 
2.33.0
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.