Received: by 10.192.165.148 with SMTP id m20csp3702627imm; Mon, 23 Apr 2018 10:50:15 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+ZODlHcbTk1FUy+9PQGknufQzKS+wKzmmbQUW/9/Ees7TAuzkCa8L1kwWM4hrD3QCm8RIm X-Received: by 10.98.59.24 with SMTP id i24mr20561624pfa.246.1524505815248; Mon, 23 Apr 2018 10:50:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524505815; cv=none; d=google.com; s=arc-20160816; b=DSGMVvillzRPdJdzJOb9Dyxa64rGbigMPjr5tFsb1aLyNH1Z/nxIXpHF9EeBj7w8Xg Cod25v9+XL0siqtqub/F6TUKERBkJ9g1d8tLakBzY8an0qufBUGr767t+Mc73ni0OTFM 6Iop4/IAdAsKsMFliHvSZEf18HOXyZtvLvrhecFKiZKv2ElCgdPzyK0K6OwU0q4BO0HB 5UoLfQoySJgCn+xd4za8Nzibm3d18IAg4ji+aVEVhZmxejXDLglf3QiaumhgCBx/YtCP kkbtqc//LAgS2v7HRmMy+24BvZW/I28uZ8SJj1TcEk2skTMgOCSyBeiX9hRnWOR55xPr vWyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=v1hv8Dxcz9YW4K9dPZx67wE7dB3MIVaEc9K/y/g9aQ4=; b=fnwN/ax1UsFUA6WYVuWJ+OW2a2lIRXnNF+8hMnt6I95ixPKe2mdSdjj6sNeSaJdQbT AT5ZPKOuAEJKt6qMyKBMuJtKH4Q4nsSBahwrnH13Hud+nutsPZddM7MCQgWovNL+lMCd IVYScCtZg+cS0r59wtjvLboxpDCNL5FS6PhlvUtteGQOjFm3x9xlj9/iDUVKqohwPXC+ ubkaxb8bU2tHQ07rtAIEBhtTTmh/d5xjc9FfavE9ceYxCt1PZSZ2bojEhc1OOm1joKbH A/C7Rihu8D2hIOxNeeoacqdXe+cCllqDirVShiCrgxHzPgHlez9Jh2DHYUyXfVsofXGm 63tA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si11750853plj.101.2018.04.23.10.50.00; Mon, 23 Apr 2018 10:50:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932442AbeDWRsQ (ORCPT + 99 others); Mon, 23 Apr 2018 13:48:16 -0400 Received: from gateway21.websitewelcome.com ([192.185.45.154]:34931 "EHLO gateway21.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932104AbeDWRsN (ORCPT ); Mon, 23 Apr 2018 13:48:13 -0400 Received: from cm14.websitewelcome.com (cm14.websitewelcome.com [100.42.49.7]) by gateway21.websitewelcome.com (Postfix) with ESMTP id CC01C400DDB6C for ; Mon, 23 Apr 2018 12:48:12 -0500 (CDT) Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP id AfZUfmecp5CKDAfZUfKt3S; Mon, 23 Apr 2018 12:48:12 -0500 X-Authority-Reason: nr=8 Received: from [189.145.48.65] (port=49590 helo=embeddedor) by gator4166.hostgator.com with esmtpa (Exim 4.89_1) (envelope-from ) id 1fAfZU-0005TB-7k; Mon, 23 Apr 2018 12:48:12 -0500 Date: Mon, 23 Apr 2018 12:48:11 -0500 From: "Gustavo A. R. Silva" To: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" , Dan Carpenter Cc: Ramesh Shanmugasundaram , linux-renesas-soc@vger.kernel.org Subject: [PATCH 07/11] rcar_drif: fix potential Spectre variant 1 Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 189.145.48.65 X-Source-L: No X-Exim-ID: 1fAfZU-0005TB-7k X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (embeddedor) [189.145.48.65]:49590 X-Source-Auth: gustavo@embeddedor.com X-Email-Count: 52 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org f->index can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. Smatch warning: drivers/media/platform/rcar_drif.c:909 rcar_drif_enum_fmt_sdr_cap() warn: potential spectre issue 'formats' Fix this by sanitizing f->index before using it to index formats. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Reported-by: Dan Carpenter Signed-off-by: Gustavo A. R. Silva --- drivers/media/platform/rcar_drif.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/rcar_drif.c b/drivers/media/platform/rcar_drif.c index dc7e280..2c21ec2 100644 --- a/drivers/media/platform/rcar_drif.c +++ b/drivers/media/platform/rcar_drif.c @@ -66,6 +66,8 @@ #include #include +#include + /* DRIF register offsets */ #define RCAR_DRIF_SITMDR1 0x00 #define RCAR_DRIF_SITMDR2 0x04 @@ -905,7 +907,7 @@ static int rcar_drif_enum_fmt_sdr_cap(struct file *file, void *priv, { if (f->index >= ARRAY_SIZE(formats)) return -EINVAL; - + f->index = array_index_nospec(f->index, ARRAY_SIZE(formats)); f->pixelformat = formats[f->index].pixelformat; return 0; -- 2.7.4