vt_ioctl: fix potential spectre v1 in VT_DISALLOCATE

Xiaomeng Tong · gregkh · commit b31c41339f4f · 2022-03-18T14:35:01.000+01:00
In VT_ACTIVATE an almost identical code path has been patched with array_index_nospec. In the VT_DISALLOCATE path, the arg is the user input from a system call argument and lately used as a index for vc_cons[index].d access, which can be reached through path like vt_disallocate->vc_busy or vt_disallocate->vc_deallocate. For consistency both code paths should have the same mitigations applied. Also, the code style is adjusted as suggested by Jiri. Reviewed-by: Jiri Slaby <jirislaby@kernel.org> Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com> Link: https://lore.kernel.org/r/20220314122921.31223-1-xiam0nd.tong@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
@@ -898,11 +898,13 @@ int vt_ioctl(struct tty_struct *tty,
 		if (arg > MAX_NR_CONSOLES)
 			return -ENXIO;
 
-		if (arg == 0)
+		if (arg == 0) {
 			vt_disallocate_all();
-		else
-			return vt_disallocate(--arg);
-		break;
+			break;
+		}
+
+		arg = array_index_nospec(arg - 1, MAX_NR_CONSOLES);
+		return vt_disallocate(arg);
 
 	case VT_RESIZE:
 	{
