vt_ioctl: fix array_index_nospec in vt_setactivate

stable inclusion
from stable-v4.19.230
commit 170325aba4608bde3e7d21c9c19b7bc266ac0885
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADG0Z
CVE: CVE-2022-48804

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=170325aba4608bde3e7d21c9c19b7bc266ac0885



--------------------------------

commit 61cc70d9 upstream.

array_index_nospec ensures that an out-of-bounds value is set to zero
on the transient path. Decreasing the value by one afterwards causes
a transient integer underflow. vsa.console should be decreased first
and then sanitized with array_index_nospec.

Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh
Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU
Amsterdam.

Co-developed-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
Signed-off-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
Link: https://lore.kernel.org/r/20220127144406.3589293-1-jakobkoschel@gmail.com


Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>