Commit 88d0facf authored Oct 11, 2019 by Jérôme Pouiller Committed by Greg Kroah-Hartman Oct 14, 2019

staging: wfx: fix potential vulnerability to spectre



array_index_nospec() should be applied after a bound check.

Fixes: 9bca45f3 ("staging: wfx: allow to send 802.11 frames")
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
Link: https://lore.kernel.org/r/20191011164746.2518-1-Jerome.Pouiller@silabs.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 44288f11

drivers/staging/wfx/wfx.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -13,6 +13,7 @@
		#include <linux/completion.h>
		#include <linux/workqueue.h>
		#include <linux/mutex.h>
		#include <linux/nospec.h>
		#include <net/mac80211.h>

		#include "bh.h"
		@@ -138,6 +139,7 @@ static inline struct wfx_vif wdev_to_wvif(struct wfx_dev wdev, int vif_id)
		dev_dbg(wdev->dev, "requesting non-existent vif: %d\n", vif_id);
		return NULL;
		}
		vif_id = array_index_nospec(vif_id, ARRAY_SIZE(wdev->vif));
		if (!wdev->vif[vif_id]) {
		dev_dbg(wdev->dev, "requesting non-allocated vif: %d\n", vif_id);
		return NULL;

Admin message