linux/sound/core/seq/oss
Takashi Iwai 8d218dd811 ALSA: seq: oss: Hardening for potential Spectre v1
As Smatch recently suggested, a few places in OSS sequencer codes may
expand the array directly from the user-space value with speculation,
namely there are a significant amount of references to either
info->ch[] or dp->synths[] array:

  sound/core/seq/oss/seq_oss_event.c:315 note_on_event() warn: potential spectre issue 'info->ch' (local cap)
  sound/core/seq/oss/seq_oss_event.c:362 note_off_event() warn: potential spectre issue 'info->ch' (local cap)
  sound/core/seq/oss/seq_oss_synth.c:470 snd_seq_oss_synth_load_patch() warn: potential spectre issue 'dp->synths' (local cap)
  sound/core/seq/oss/seq_oss_event.c:293 note_on_event() warn: potential spectre issue 'dp->synths'
  sound/core/seq/oss/seq_oss_event.c:353 note_off_event() warn: potential spectre issue 'dp->synths'
  sound/core/seq/oss/seq_oss_synth.c:506 snd_seq_oss_synth_sysex() warn: potential spectre issue 'dp->synths'
  sound/core/seq/oss/seq_oss_synth.c:580 snd_seq_oss_synth_ioctl() warn: potential spectre issue 'dp->synths'

Although all these seem doing only the first load without further
reference, we may want to stay in a safer side, so hardening with
array_index_nospec() would still make sense.

We may put array_index_nospec() at each place, but here we take a
different approach:

- For dp->synths[], change the helpers to retrieve seq_oss_synthinfo
  pointer directly instead of the array expansion at each place

- For info->ch[], harden in a normal way, as there are only a couple
  of places

As a result, the existing helper, snd_seq_oss_synth_is_valid() is
replaced with snd_seq_oss_synth_info().  Also, we cover MIDI device
where a similar array expansion is done, too, although it wasn't
reported by Smatch.

BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-25 10:37:45 +02:00
..
Makefile ALSA: seq: Allow the tristate build of OSS emulation 2017-06-09 22:09:45 +02:00
seq_oss_device.h sound: annotate ->poll() instances 2017-11-27 16:20:02 -05:00
seq_oss_event.c ALSA: seq: oss: Hardening for potential Spectre v1 2018-04-25 10:37:45 +02:00
seq_oss_event.h
seq_oss_init.c ALSA: seq: oss: Don't drain at closing a client 2016-03-01 20:26:40 +01:00
seq_oss_ioctl.c ALSA: seq_oss: Drop debug prints 2014-02-14 08:14:13 +01:00
seq_oss_midi.c ALSA: seq: oss: Hardening for potential Spectre v1 2018-04-25 10:37:45 +02:00
seq_oss_midi.h
seq_oss_readq.c ALSA: seq: Fix OSS sysex delivery in OSS emulation 2017-11-07 16:05:24 +01:00
seq_oss_readq.h ALSA: seq: Fix OSS sysex delivery in OSS emulation 2017-11-07 16:05:24 +01:00
seq_oss_rw.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
seq_oss_synth.c ALSA: seq: oss: Hardening for potential Spectre v1 2018-04-25 10:37:45 +02:00
seq_oss_synth.h ALSA: seq: oss: Hardening for potential Spectre v1 2018-04-25 10:37:45 +02:00
seq_oss_timer.c ALSA: seq_oss: Drop debug prints 2014-02-14 08:14:13 +01:00
seq_oss_timer.h
seq_oss_writeq.c sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h> 2017-03-02 08:42:32 +01:00
seq_oss_writeq.h
seq_oss.c sound: annotate ->poll() instances 2017-11-27 16:20:02 -05:00