vt_ioctl: fix potential spectre v1 in VT_DISALLOCATE

In VT_ACTIVATE an almost identical code path has been patched
with array_index_nospec. In the VT_DISALLOCATE path, the arg is
the user input from a system call argument and lately used as a index
for vc_cons[index].d access, which can be reached through path like
vt_disallocate->vc_busy or vt_disallocate->vc_deallocate.
For consistency both code paths should have the same mitigations
applied. Also, the code style is adjusted as suggested by Jiri.

Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Link: https://lore.kernel.org/r/20220314122921.31223-1-xiam0nd.tong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
index 5801369..8c685b5 100644 (file)
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -898,11 +898,13 @@ int vt_ioctl(struct tty_struct *tty,
                if (arg > MAX_NR_CONSOLES)
                        return -ENXIO;
 
-               if (arg == 0)
+               if (arg == 0) {
                        vt_disallocate_all();
-               else
-                       return vt_disallocate(--arg);
-               break;
+                       break;
+               }
+
+               arg = array_index_nospec(arg - 1, MAX_NR_CONSOLES);
+               return vt_disallocate(arg);
 
        case VT_RESIZE:
        {