| Message ID | 20190908005653.17433-1-masashi.honma@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Johannes Berg |
| Headers | show |
| Series | nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds | expand |
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 3e30e18d1d89..773b22654c23 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -10805,9 +10805,11 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev, hyst = wdev->cqm_config->rssi_hyst; n = wdev->cqm_config->n_rssi_thresholds; - for (i = 0; i < n; i++) + for (i = 0; i < n; i++) { + i = array_index_nospec(i, n); if (last < wdev->cqm_config->rssi_thresholds[i]) break; + } low_index = i - 1; if (low_index >= 0) {
commit 1222a16014888ed9733c11e221730d4a8196222b "nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds" requires one more fix to prevent accessing to rssi_thresholds[n]. Because user can control rssi_thresholds[i] values to make i reach to n. For example, rssi_thresholds = {-400, -300, -200, -100} when last is -34. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Masashi Honma <masashi.honma@gmail.com> --- net/wireless/nl80211.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)