carl9170: prevent speculative execution

Since the queue value in function carl9170_op_conf_tx()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
ar9170_qmap and following ar->edcf, insert an observable
speculation barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c
index f1455a04cb623a06ab279c0686a1cf0c9576db31..152685575298ecfde68749de30a8b7cca1cfcd3b 100644 (file)
--- a/drivers/net/wireless/ath/carl9170/main.c
+++ b/drivers/net/wireless/ath/carl9170/main.c
@@ -1389,6 +1389,7 @@ static int carl9170_op_conf_tx(struct ieee80211_hw *hw,
 
        mutex_lock(&ar->mutex);
        if (queue < ar->hw->queues) {
+               osb();
                memcpy(&ar->edcf[ar9170_qmap[queue]], param, sizeof(*param));
                ret = carl9170_set_qos(ar);
        } else {