Commit f3af1b68 authored by Jiri Slaby's avatar Jiri Slaby Committed by Greg Kroah-Hartman

tty: keyboard, do not speculate on func_table index

It is very unlikely for processor to speculate on the func_table index.
The index is uchar and func_table is of size 256. So the compiler would
need to screw up and generate a really bad code.

But to stay on the safe side, forbid speculation on this user passed
index.
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
Cc: Jiri Kosina <jikos@kernel.org>
Link: https://lore.kernel.org/r/20200730105546.24268-1-jslaby@suse.czSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7df5081c
...@@ -32,6 +32,7 @@ ...@@ -32,6 +32,7 @@
#include <linux/tty.h> #include <linux/tty.h>
#include <linux/tty_flip.h> #include <linux/tty_flip.h>
#include <linux/mm.h> #include <linux/mm.h>
#include <linux/nospec.h>
#include <linux/string.h> #include <linux/string.h>
#include <linux/init.h> #include <linux/init.h>
#include <linux/slab.h> #include <linux/slab.h>
...@@ -2019,7 +2020,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) ...@@ -2019,7 +2020,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
goto reterr; goto reterr;
} }
kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0'; kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0';
i = kbs->kb_func; i = array_index_nospec(kbs->kb_func, MAX_NR_FUNC);
switch (cmd) { switch (cmd) {
case KDGKBSENT: case KDGKBSENT:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment