ALSA: seq: oss: Fix Spectre v1 vulnerability [Linux 3.16.72]

This Linux kernel change "ALSA: seq: oss: Fix Spectre v1 vulnerability" is included in the Linux 3.16.72 release. This change is authored by Gustavo A. R. Silva <gustavo [at] embeddedor.com> on Wed Mar 20 18:42:01 2019 -0500. The commit for this change in Linux stable tree is 09e3abf (patch) which is from upstream commit c709f14. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream c709f14.

ALSA: seq: oss: Fix Spectre v1 vulnerability

commit c709f14f0616482b67f9fbcb965e1493a03ff30b upstream.

dev is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

sound/core/seq/oss/seq_oss_synth.c:626 snd_seq_oss_synth_make_info() warn: potential spectre issue 'dp->synths' [w] (local cap)

Fix this by sanitizing dev before using it to index dp->synths.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/[email protected]/

Signed-off-by: Gustavo A. R. Silva <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>

There are 7 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 sound/core/seq/oss/seq_oss_synth.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
index 8bf5335..6ab2de7 100644
--- a/sound/core/seq/oss/seq_oss_synth.c
+++ b/sound/core/seq/oss/seq_oss_synth.c
@@ -617,13 +617,14 @@ struct seq_oss_synthinfo *
 snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf)
 {
    struct seq_oss_synth *rec;
+   struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);

-   if (dev < 0 || dev >= dp->max_synthdev)
+   if (!info)
        return -ENXIO;

-   if (dp->synths[dev].is_midi) {
+   if (info->is_midi) {
        struct midi_info minf;
-       snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
+       snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf);
        inf->synth_type = SYNTH_TYPE_MIDI;
        inf->synth_subtype = 0;
        inf->nr_voices = 16;

Leave a Reply

Your email address will not be published. Required fields are marked *