Received: by 10.192.165.148 with SMTP id m20csp3706765imm; Mon, 23 Apr 2018 10:54:55 -0700 (PDT) X-Google-Smtp-Source: AIpwx4802WH/Sf4Xe321mIZv1xpqwre+r78YYbUdrU8sT+/xzFVi2To5lIdYOAebT6SRq5PF5Dm+ X-Received: by 10.98.87.150 with SMTP id i22mr21018452pfj.119.1524506094909; Mon, 23 Apr 2018 10:54:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524506094; cv=none; d=google.com; s=arc-20160816; b=IQTTGMjALvNK8wTMREFCk/uBjoBvfsfR5cyPKCnCybxiOe3IPcFUmYIvuXh43VfAGf B5gBsUWRn3FpEXJA3I1ym/+r2mQhyLUVDU1HUxO6I6IT5/hHUBRA2P/tOblCuAslDeRf pRr4eSDP3MmK+skm8pTGcW7v/er7rfsIKePusuyZ+J7zX+TSE9YxjXhwKiWQ+EmBDMBF xgnGlDYiD/PJn9mJCDB/hkEINkiBiDf/vAoYPb+QuaTfoZ2oARvXbcT6J/YVn7wDOwxN lW7//cjZM01MsXWo6ZT4fWsc7AVWCBfuQhmez0NetpPwsL2JceY1vfByTWhp92rNtJ+g lwRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=gTtr89iT2xvSMiFDeOQhF9M9NnwkIzqLc5ZeZb7g/BU=; b=C+M4CVyx0Sv5zGZONN5moVDS0Ie79bjRcQXdQJbZ9a0+RzhKhm/sUeFbBeN2N3NMr9 maKef0qPcyrEVSDpTucStioTEhJX2/hAt2+5GM6T3BH9BKEsvVGbOYnNOVkh6aSJl6N7 eWLPD4m3GtJqsV3DSfXBrR7279EDzYRiyR67aGIwSAnY5oDQrpg6y5NyXF1m1umf/29E EX00QVfpLsIV4+0VFEiKkPG0eTX0nf8bv9E4pX0jPlbkBxCIplyEvWi/QQ4bHTjQYdhq P2GFuHjVQT3N97P9uEHc0KH09nNPrF3F8X/EkdPUKidjKvJGvizIvb23OzJd7RG0iy1m 3Gbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c1-v6si12891109pll.449.2018.04.23.10.54.40; Mon, 23 Apr 2018 10:54:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932486AbeDWRw6 (ORCPT + 99 others); Mon, 23 Apr 2018 13:52:58 -0400 Received: from gateway22.websitewelcome.com ([192.185.47.144]:25857 "EHLO gateway22.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932342AbeDWRwi (ORCPT ); Mon, 23 Apr 2018 13:52:38 -0400 Received: from cm10.websitewelcome.com (cm10.websitewelcome.com [100.42.49.4]) by gateway22.websitewelcome.com (Postfix) with ESMTP id 2F0B22FDD for ; Mon, 23 Apr 2018 12:52:37 -0500 (CDT) Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP id AfdkfZZLV6il3Afdlfa5dl; Mon, 23 Apr 2018 12:52:37 -0500 X-Authority-Reason: nr=8 Received: from [189.145.48.65] (port=49630 helo=embeddedor) by gator4166.hostgator.com with esmtpa (Exim 4.89_1) (envelope-from ) id 1fAfdk-0009D4-AF; Mon, 23 Apr 2018 12:52:36 -0500 Date: Mon, 23 Apr 2018 12:52:35 -0500 From: "Gustavo A. R. Silva" To: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" , Dan Carpenter Cc: Laurent Pinchart , linux-renesas-soc@vger.kernel.org Subject: [PATCH 11/11] vsp1_rwpf: fix potential Spectre variant 1 Message-ID: <54ddd5303a6964e1295a4f5d009e683810fc3c18.1524499368.git.gustavo@embeddedor.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 189.145.48.65 X-Source-L: No X-Exim-ID: 1fAfdk-0009D4-AF X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (embeddedor) [189.145.48.65]:49630 X-Source-Auth: gustavo@embeddedor.com X-Email-Count: 72 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org code->index can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. Smatch warning: drivers/media/platform/vsp1/vsp1_rwpf.c:47 vsp1_rwpf_enum_mbus_code() warn: potential spectre issue 'codes' Fix this by sanitizing code->index before using it to index codes. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Reported-by: Dan Carpenter Signed-off-by: Gustavo A. R. Silva --- drivers/media/platform/vsp1/vsp1_rwpf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/platform/vsp1/vsp1_rwpf.c b/drivers/media/platform/vsp1/vsp1_rwpf.c index cfd8f19..6e887be 100644 --- a/drivers/media/platform/vsp1/vsp1_rwpf.c +++ b/drivers/media/platform/vsp1/vsp1_rwpf.c @@ -13,6 +13,8 @@ #include +#include + #include "vsp1.h" #include "vsp1_rwpf.h" #include "vsp1_video.h" @@ -44,6 +46,7 @@ static int vsp1_rwpf_enum_mbus_code(struct v4l2_subdev *subdev, if (code->index >= ARRAY_SIZE(codes)) return -EINVAL; + code->index = array_index_nospec(code->index, ARRAY_SIZE(codes)); code->code = codes[code->index]; return 0; -- 2.7.4