linux/sound/core/seq
Takashi Iwai 8d218dd811 ALSA: seq: oss: Hardening for potential Spectre v1
As Smatch recently suggested, a few places in OSS sequencer codes may
expand the array directly from the user-space value with speculation,
namely there are a significant amount of references to either
info->ch[] or dp->synths[] array:

  sound/core/seq/oss/seq_oss_event.c:315 note_on_event() warn: potential spectre issue 'info->ch' (local cap)
  sound/core/seq/oss/seq_oss_event.c:362 note_off_event() warn: potential spectre issue 'info->ch' (local cap)
  sound/core/seq/oss/seq_oss_synth.c:470 snd_seq_oss_synth_load_patch() warn: potential spectre issue 'dp->synths' (local cap)
  sound/core/seq/oss/seq_oss_event.c:293 note_on_event() warn: potential spectre issue 'dp->synths'
  sound/core/seq/oss/seq_oss_event.c:353 note_off_event() warn: potential spectre issue 'dp->synths'
  sound/core/seq/oss/seq_oss_synth.c:506 snd_seq_oss_synth_sysex() warn: potential spectre issue 'dp->synths'
  sound/core/seq/oss/seq_oss_synth.c:580 snd_seq_oss_synth_ioctl() warn: potential spectre issue 'dp->synths'

Although all these seem doing only the first load without further
reference, we may want to stay in a safer side, so hardening with
array_index_nospec() would still make sense.

We may put array_index_nospec() at each place, but here we take a
different approach:

- For dp->synths[], change the helpers to retrieve seq_oss_synthinfo
  pointer directly instead of the array expansion at each place

- For info->ch[], harden in a normal way, as there are only a couple
  of places

As a result, the existing helper, snd_seq_oss_synth_is_valid() is
replaced with snd_seq_oss_synth_info().  Also, we cover MIDI device
where a similar array expansion is done, too, although it wasn't
reported by Smatch.

BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-04-25 10:37:45 +02:00
..
oss ALSA: seq: oss: Hardening for potential Spectre v1 2018-04-25 10:37:45 +02:00
Kconfig ALSA: seq: Fix CONFIG_SND_SEQ_MIDI dependency 2017-08-11 09:51:41 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
seq.c ALSA: timer: remove legacy rtctimer 2016-04-25 10:41:46 +02:00
seq_clientmgr.c ALSA: seq: Clear client entry before deleting else at closing 2018-03-10 17:30:01 +01:00
seq_clientmgr.h ALSA: seq: Make ioctls race-free 2018-01-11 14:37:51 +01:00
seq_compat.c ALSA: seq: fix passing wrong pointer in function call of compatibility layer 2016-10-12 20:09:36 +02:00
seq_dummy.c ALSA: seq: Drop snd_seq_autoload_lock() and _unlock() 2015-02-12 14:42:31 +01:00
seq_fifo.c ALSA: seq: More protection for concurrent write and ioctl races 2018-03-08 12:05:37 +01:00
seq_fifo.h
seq_info.c ALSA: core: Build conditionally and remove superfluous ifdefs 2015-04-24 17:31:07 +02:00
seq_info.h ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS 2015-05-27 21:25:19 +02:00
seq_lock.c ALSA: seq: Enable 'use' locking in all configurations 2017-10-18 08:01:46 +02:00
seq_lock.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
seq_memory.c ALSA: seq: More protection for concurrent write and ioctl races 2018-03-08 12:05:37 +01:00
seq_memory.h ALSA: seq: More protection for concurrent write and ioctl races 2018-03-08 12:05:37 +01:00
seq_midi.c ALSA: seq: Drop snd_seq_autoload_lock() and _unlock() 2015-02-12 14:42:31 +01:00
seq_midi_emul.c ALSA: seq: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:03 +02:00
seq_midi_event.c ALSA: seq: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:03 +02:00
seq_ports.c ALSA: seq: Fix use-after-free at creating a port 2017-10-11 09:58:18 +02:00
seq_ports.h ALSA: seq: remove unused callback_all field 2015-01-26 13:56:58 +01:00
seq_prioq.c ALSA: seq: Fix possible UAF in snd_seq_check_queue() 2018-03-10 17:29:49 +01:00
seq_prioq.h ALSA: seq: Fix possible UAF in snd_seq_check_queue() 2018-03-10 17:29:49 +01:00
seq_queue.c ALSA: seq: Fix possible UAF in snd_seq_check_queue() 2018-03-10 17:29:49 +01:00
seq_queue.h ALSA: seq: 2nd attempt at fixing race creating a queue 2017-08-15 08:02:35 +02:00
seq_system.c
seq_system.h
seq_timer.c ALSA: seq: Process queue tempo/ppq change in a shot 2018-01-15 16:48:36 +01:00
seq_timer.h ALSA: seq: Process queue tempo/ppq change in a shot 2018-01-15 16:48:36 +01:00
seq_virmidi.c ALSA: seq: Fix copy_from_user() call inside lock 2017-10-09 14:10:13 +02:00