vmci: prevent speculation leaks by sanitizing event in event_deliver()

author Hagar Gamal Halim Hemdan <[email protected]>

Tue, 30 Apr 2024 08:59:16 +0000 (08:59 +0000)

committer Greg Kroah-Hartman <[email protected]>

Fri, 3 May 2024 05:28:53 +0000 (07:28 +0200)
author Hagar Gamal Halim Hemdan <[email protected]>
Tue, 30 Apr 2024 08:59:16 +0000 (08:59 +0000)
committer Greg Kroah-Hartman <[email protected]>
Fri, 3 May 2024 05:28:53 +0000 (07:28 +0200)
diff --git a/drivers/misc/vmw_vmci/vmci_event.c b/drivers/misc/vmw_vmci/vmci_event.c

index 5d7ac07623c27330d42a37686329293b2761ef67..9a41ab65378de0fdc77949ef46cc9dc21ba37943 100644 (file)
--- a/drivers/misc/vmw_vmci/vmci_event.c
+++ b/drivers/misc/vmw_vmci/vmci_event.c
@@ -9,6 +9,7 @@
  #include <linux/vmw_vmci_api.h>
  #include <linux/list.h>
  #include <linux/module.h>
+#include <linux/nospec.h>
  #include <linux/sched.h>
  #include <linux/slab.h>
  #include <linux/rculist.h>
@@ -86,9 +87,12 @@ static void event_deliver(struct vmci_event_msg *event_msg)
  {
         struct vmci_subscription *cur;
         struct list_head *subscriber_list;
+       u32 sanitized_event, max_vmci_event;
  
         rcu_read_lock();
-       subscriber_list = &subscriber_array[event_msg->event_data.event];
+       max_vmci_event = ARRAY_SIZE(subscriber_array);
+       sanitized_event = array_index_nospec(event_msg->event_data.event, max_vmci_event);
+       subscriber_list = &subscriber_array[sanitized_event];
         list_for_each_entry_rcu(cur, subscriber_list, node) {
                 cur->callback(cur->id, &event_msg->event_data,
                               cur->callback_data);
author	Hagar Gamal Halim Hemdan <[email protected]>
	Tue, 30 Apr 2024 08:59:16 +0000 (08:59 +0000)
committer	Greg Kroah-Hartman <[email protected]>
	Fri, 3 May 2024 05:28:53 +0000 (07:28 +0200)