vt_ioctl: fix potential spectre v1 in VT_DISALLOCATE

In VT_ACTIVATE an almost identical code path has been patched
with array_index_nospec. In the VT_DISALLOCATE path, the arg is
the user input from a system call argument and lately used as a index
for vc_cons[index].d access, which can be reached through path like
vt_disallocate->vc_busy or vt_disallocate->vc_deallocate.
For consistency both code paths should have the same mitigations
applied. Also, the code style is adjusted as suggested by Jiri.

Reviewed-by: Jiri Slaby <[email protected]>
Signed-off-by: Xiaomeng Tong <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
index 58013698635f013d6ef2f1f138860ab8d82ca3db..8c685b5014044b891c40e1cf00bd4629a661e33f 100644 (file)
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -898,11 +898,13 @@ int vt_ioctl(struct tty_struct *tty,
                if (arg > MAX_NR_CONSOLES)
                        return -ENXIO;
 
-               if (arg == 0)
+               if (arg == 0) {
                        vt_disallocate_all();
-               else
-                       return vt_disallocate(--arg);
-               break;
+                       break;
+               }
+
+               arg = array_index_nospec(arg - 1, MAX_NR_CONSOLES);
+               return vt_disallocate(arg);
 
        case VT_RESIZE:
        {