vt_ioctl: fix potential spectre v1 in VT_DISALLOCATE

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In VT_ACTIVATE an almost identical code path has been patched
with array_index_nospec. In the VT_DISALLOCATE path, the arg is
the user input from a system call argument and lately used as a index
for vc_cons[index].d access, which can be reached through path like
vt_disallocate->vc_busy or vt_disallocate->vc_deallocate.
For consistency both code paths should have the same mitigations
applied. Also, the code style is adjusted as suggested by Jiri.

Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Link: https://lore.kernel.org/r/20220314122921.31223-1-xiam0nd.tong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Xiaomeng Tong and committed by

Greg Kroah-Hartman 4 years ago b31c4133 f58c252e

+6 -4

1 changed file

expand all

drivers

tty

vt_ioctl.c

+6 -4

drivers/tty/vt/vt_ioctl.c

··· 898 898 if (arg > MAX_NR_CONSOLES) 899 899 return -ENXIO; 900 900 901 - if (arg == 0) 901 + if (arg == 0) { 902 902 vt_disallocate_all(); 903 - else 904 - return vt_disallocate(--arg); 905 - break; 903 + break; 904 + } 905 + 906 + arg = array_index_nospec(arg - 1, MAX_NR_CONSOLES); 907 + return vt_disallocate(arg); 906 908 907 909 case VT_RESIZE: 908 910 {