Received: by 10.192.165.148 with SMTP id m20csp3715670imm; Mon, 23 Apr 2018 11:03:41 -0700 (PDT) X-Google-Smtp-Source: AIpwx48k116vF8XHR0i/JrU9zbHtjIDF92l1btyIw1b9chpRjQ1LuCRbO/CQT4GhAtL8qzmWhBPS X-Received: by 10.99.181.30 with SMTP id y30mr15819423pge.279.1524506621224; Mon, 23 Apr 2018 11:03:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524506621; cv=none; d=google.com; s=arc-20160816; b=mv4jGJZu6OX2q/5n4EaOOwk9EQKS/QLLNMH4IxP05ASYA0Abx8HYoybgMir+PJSiq+ fkIP7r9Y/Zi0mwUT94d+sZmgWAjrX0vZ3q11ze3m4XcqZM7KF2qMPN/tE3DeOlOy8JiI MIEAZzNSmf5pPPVUX5gmOLHsZXr2+VR0r2ozdLruhF4qrayqVxmEJYxeW8XmsznxMEoU 6FBvRgCKJ/qhcrzf8i3n4Cj49xoLbszwSDK2gOWEIQZDJKhE8aBubx3wWNAP7zs3QJca DuNmAtNzdnZq8xhewiVTKjUNkfg3+5c6voOiWW/MN7px0UneurKgcQd4tyfTAXed+nwA wCUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date:arc-authentication-results; bh=tP+1S8VbWVeWQuOvxaoDat/bBB7FIeeZ5zSkBjcS/1c=; b=BvqwKqdC1OKDY6OLaxG/W2BCiOJCiX6ByWmHLCN+g78o87j5aEubD2qYl130OX+71n +Ve8Ry02zlCHpdLwWvXpESxTydEaMeHk39FZbKSyCOR+VV0AuiJ47FmZzDlR/e8In+lR lIzVy8bCOdQ7YE96CbU7EjEKe77R7fYWnN6vwr5412X/n/wSif71gwJXBUOkcldiG0mm kc3UYfx5gb1980lE7hZQD5DsK2x9MNbN47nsmjo92pslG71aXKyt0K2DcqzRU02G3x9o hZJAh+A6ZBdDr2yvdp9fF6QEHAm3gnTjVkraC5ql4DUsN/XKjnSZeLqSm/ghJHaOUtGK 4d/g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h16-v6si2508282pli.493.2018.04.23.11.03.27; Mon, 23 Apr 2018 11:03:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932409AbeDWSBz (ORCPT + 99 others); Mon, 23 Apr 2018 14:01:55 -0400 Received: from gateway36.websitewelcome.com ([192.185.198.13]:40511 "EHLO gateway36.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932306AbeDWSBt (ORCPT ); Mon, 23 Apr 2018 14:01:49 -0400 Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19]) by gateway36.websitewelcome.com (Postfix) with ESMTP id 581C3400CE429 for ; Mon, 23 Apr 2018 12:39:22 -0500 (CDT) Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP id AfQwfv5z6WCOCAfQwfpyct; Mon, 23 Apr 2018 12:39:22 -0500 X-Authority-Reason: nr=8 Received: from [189.145.48.65] (port=49548 helo=embeddedor) by gator4166.hostgator.com with esmtpa (Exim 4.89_1) (envelope-from ) id 1fAfQv-004MgT-Pd; Mon, 23 Apr 2018 12:39:21 -0500 Date: Mon, 23 Apr 2018 12:39:21 -0500 From: "Gustavo A. R. Silva" To: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" , Dan Carpenter Subject: [PATCH 03/11] fsl-viu: fix potential Spectre variant 1 Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 189.145.48.65 X-Source-L: No X-Exim-ID: 1fAfQv-004MgT-Pd X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (embeddedor) [189.145.48.65]:49548 X-Source-Auth: gustavo@embeddedor.com X-Email-Count: 33 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org f->index can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. Smatch warning: drivers/media/platform/fsl-viu.c:587 vidioc_enum_fmt() warn: potential spectre issue 'formats' Fix this by sanitizing f->index before using it to index formats. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Reported-by: Dan Carpenter Signed-off-by: Gustavo A. R. Silva --- drivers/media/platform/fsl-viu.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/fsl-viu.c b/drivers/media/platform/fsl-viu.c index e41510c..8356d26 100644 --- a/drivers/media/platform/fsl-viu.c +++ b/drivers/media/platform/fsl-viu.c @@ -33,6 +33,8 @@ #include #include +#include + #define DRV_NAME "fsl_viu" #define VIU_VERSION "0.5.1" @@ -579,12 +581,10 @@ static int vidioc_querycap(struct file *file, void *priv, static int vidioc_enum_fmt(struct file *file, void *priv, struct v4l2_fmtdesc *f) { - int index = f->index; - if (f->index >= NUM_FORMATS) return -EINVAL; - - f->pixelformat = formats[index].fourcc; + f->index = array_index_nospec(f->index, NUM_FORMATS); + f->pixelformat = formats[f->index].fourcc; return 0; } -- 2.7.4