--- /dev/null
+From 4b2c5a14cd8005a900075f7dfec87473c6ee66fb Mon Sep 17 00:00:00 2001
+From: Masashi Honma <masashi.honma@gmail.com>
+Date: Sun, 8 Sep 2019 09:56:53 +0900
+Subject: nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
+
+From: Masashi Honma <masashi.honma@gmail.com>
+
+commit 4b2c5a14cd8005a900075f7dfec87473c6ee66fb upstream.
+
+commit 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM
+RSSI thresholds") was incomplete and requires one more fix to
+prevent accessing to rssi_thresholds[n] because user can control
+rssi_thresholds[i] values to make i reach to n. For example,
+rssi_thresholds = {-400, -300, -200, -100} when last is -34.
+
+Cc: stable@vger.kernel.org
+Fixes: 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+Link: https://lore.kernel.org/r/20190908005653.17433-1-masashi.honma@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10659,9 +10659,11 @@ static int cfg80211_cqm_rssi_update(stru
+ hyst = wdev->cqm_config->rssi_hyst;
+ n = wdev->cqm_config->n_rssi_thresholds;
+
+- for (i = 0; i < n; i++)
++ for (i = 0; i < n; i++) {
++ i = array_index_nospec(i, n);
+ if (last < wdev->cqm_config->rssi_thresholds[i])
+ break;
++ }
+
+ low_index = i - 1;
+ if (low_index >= 0) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
