nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds

commit 4b2c5a14cd8005a900075f7dfec87473c6ee66fb upstream.

commit 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM
RSSI thresholds") was incomplete and requires one more fix to
prevent accessing to rssi_thresholds[n] because user can control
rssi_thresholds[i] values to make i reach to n. For example,
rssi_thresholds = {-400, -300, -200, -100} when last is -34.

Cc: stable@vger.kernel.org
Fixes: 1222a1601488 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Link: https://lore.kernel.org/r/20190908005653.17433-1-masashi.honma@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index c672a790df1ce6917b2af29191dd14290a15ec57..f19d5a55f09ef236c4f3512625d214073c6cf001 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9753,9 +9753,11 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
        hyst = wdev->cqm_config->rssi_hyst;
        n = wdev->cqm_config->n_rssi_thresholds;
 
-       for (i = 0; i < n; i++)
+       for (i = 0; i < n; i++) {
+               i = array_index_nospec(i, n);
                if (last < wdev->cqm_config->rssi_thresholds[i])
                        break;
+       }
 
        low_index = i - 1;
        if (low_index >= 0) {