Received: by 10.192.165.148 with SMTP id m20csp3811169imm;
        Mon, 23 Apr 2018 12:48:39 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+hAYL3wohyigk6cmc+StWEZmP+u/04Sm2jHnEzB3yeLtCB/yzKJRg/8hVSOuNyuUnnlleb
X-Received: by 2002:a17:902:d685:: with SMTP id v5-v6mr21807292ply.284.1524512919250;
        Mon, 23 Apr 2018 12:48:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524512919; cv=none;
        d=google.com; s=arc-20160816;
        b=kWm0zXQaH0W3RPtrNQoFyzjMKNh/NfRz52mwqwBS6geYHIlDR1C9bBrm8V5EZJZi3/
         y1vqw312sNGigy9gG9nvSlsbkdtZRHrKbFp7PnspOm27ONIjkU2P3RorTbC0qMC7HUsF
         crgSJ4e9pn4yoHkFOF61i5n3+ZKE8hYr+yO9GDRJFQo0QuxjMi0iBDhQZXyp+zo4x47R
         Ya57bHv7wafo65YhOuCpjc9q7xSIlAHOvHMR3RodkyjJgoLGW5CFnLSFjQrD+vPcznGh
         hDYmWIi0iqZ7eNVtwjczSntpaA/Elgof01d15W1FehOeLybsnIbS/ihd0OYKeuHYAVFs
         mPdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=oFN4k5PMOpjOGPepDdHMljdMiKzQmclA5yOxP4rXceo=;
        b=bEXSWcOCZ9clyi0E5S19hhGLJ0LYPT8WY1A632fqdgz+AihfqWiN8ob+1C9qNCY52y
         yIoFvGVXBu2hxAcBeh9qywJDCFpyPGUpf7rYQMU1lHIbSCeiKJN39A2a6KwhYdKGM4ZO
         F3ef4/GGuwsr5ymquWomHxMm3Olfu2+bzXo7tI8Mxt0W8nj2V6cEDpem88mtLLfgECEZ
         TFcYOKzb07oUa1UwAxS59pJ7Udg6Fttau/RSGisY+nqqzF2j0nLRxty2M+Fit9gVYXEK
         LSAIbsz9bGa44QIucOv56xUp+A+C9mAzbUEGTepzEBeFOr8blno59X+phrnyUgzTbYzf
         HQQQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k10si9686516pgo.650.2018.04.23.12.48.24;
        Mon, 23 Apr 2018 12:48:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932388AbeDWTqv (ORCPT <rfc822;learnos2017@gmail.com>
        + 99 others); Mon, 23 Apr 2018 15:46:51 -0400
Received: from gateway36.websitewelcome.com ([192.185.187.5]:19969 "EHLO
        gateway36.websitewelcome.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S932295AbeDWTqs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Apr 2018 15:46:48 -0400
X-Greylist: delayed 1427 seconds by postgrey-1.27 at vger.kernel.org; Mon, 23 Apr 2018 15:46:48 EDT
Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19])
        by gateway36.websitewelcome.com (Postfix) with ESMTP id 3056741175CDE
        for <linux-kernel@vger.kernel.org>; Mon, 23 Apr 2018 14:23:01 -0500 (CDT)
Received: from gator4166.hostgator.com ([108.167.133.22])
        by cmsmtp with SMTP
        id Ah3FfxQReWCOCAh3FfsIHs; Mon, 23 Apr 2018 14:23:01 -0500
X-Authority-Reason: nr=8
Received: from [189.145.48.65] (port=60388 helo=[192.168.1.71])
        by gator4166.hostgator.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
        (Exim 4.89_1)
        (envelope-from <gustavo@embeddedor.com>)
        id 1fAh3E-001QXi-R8; Mon, 23 Apr 2018 14:23:00 -0500
Subject: Re: [PATCH 01/11] media: tm6000: fix potential Spectre variant 1
To:     Mauro Carvalho Chehab <mchehab@kernel.org>
Cc:     Dan Carpenter <dan.carpenter@oracle.com>,
        linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
References: <cover.1524499368.git.gustavo@embeddedor.com>
 <3d4973141e218fb516422d3d831742d55aaa5c04.1524499368.git.gustavo@embeddedor.com>
 <20180423152455.363d285c@vento.lan>
 <3ab9c4c9-0656-a08e-740e-394e2e509ae9@embeddedor.com>
 <20180423161742.66f939ba@vento.lan>
From:   "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Message-ID: <b9449849-f0ce-7e33-1134-489f13a28e40@embeddedor.com>
Date:   Mon, 23 Apr 2018 14:22:52 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20180423161742.66f939ba@vento.lan>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4166.hostgator.com
X-AntiAbuse: Original Domain - vger.kernel.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - embeddedor.com
X-BWhitelist: no
X-Source-IP: 189.145.48.65
X-Source-L: No
X-Exim-ID: 1fAh3E-001QXi-R8
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: ([192.168.1.71]) [189.145.48.65]:60388
X-Source-Auth: gustavo@embeddedor.com
X-Email-Count: 24
X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20=
X-Local-Domain: yes
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 04/23/2018 02:17 PM, Mauro Carvalho Chehab wrote:
> Em Mon, 23 Apr 2018 14:11:02 -0500
> "Gustavo A. R. Silva" <gustavo@embeddedor.com> escreveu:
> 
>> On 04/23/2018 01:24 PM, Mauro Carvalho Chehab wrote:
>>> Em Mon, 23 Apr 2018 12:38:03 -0500
>>> "Gustavo A. R. Silva" <gustavo@embeddedor.com> escreveu:
>>>    
>>>> f->index can be controlled by user-space, hence leading to a
>>>> potential exploitation of the Spectre variant 1 vulnerability.
>>>>
>>>> Smatch warning:
>>>> drivers/media/usb/tm6000/tm6000-video.c:879 vidioc_enum_fmt_vid_cap() warn: potential spectre issue 'format'
>>>>
>>>> Fix this by sanitizing f->index before using it to index
>>>> array _format_
>>>>
>>>> Notice that given that speculation windows are large, the policy is
>>>> to kill the speculation on the first load and not worry if it can be
>>>> completed with a dependent load/store [1].
>>>>
>>>> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
>>>>
>>>> Cc: stable@vger.kernel.org
>>>> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>>>> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
>>>> ---
>>>>    drivers/media/usb/tm6000/tm6000-video.c | 2 ++
>>>>    1 file changed, 2 insertions(+)
>>>>
>>>> diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c
>>>> index b2399d4..d701027 100644
>>>> --- a/drivers/media/usb/tm6000/tm6000-video.c
>>>> +++ b/drivers/media/usb/tm6000/tm6000-video.c
>>>> @@ -26,6 +26,7 @@
>>>>    #include <linux/kthread.h>
>>>>    #include <linux/highmem.h>
>>>>    #include <linux/freezer.h>
>>>> +#include <linux/nospec.h>
>>>>    
>>>>    #include "tm6000-regs.h"
>>>>    #include "tm6000.h"
>>>> @@ -875,6 +876,7 @@ static int vidioc_enum_fmt_vid_cap(struct file *file, void  *priv,
>>>>    	if (f->index >= ARRAY_SIZE(format))
>>>>    		return -EINVAL;
>>>>    
>>>> +	f->index = array_index_nospec(f->index, ARRAY_SIZE(format));
>>>
>>> Please enlighten me: how do you think this could be exploited?
>>>
>>> When an application calls VIDIOC_ENUM_FMT from a /dev/video0 device,
>>> it will just enumerate a hardware functionality, with is constant
>>> for a given hardware piece.
>>>
>>> The way it works is that userspace do something like:
>>>
>>> 	int ret = 0;
>>>
>>> 	for (i = 0; ret == 0; i++) {
>>> 		ret = ioctl(VIDIOC_ENUM_FMT, ...);
>>> 	}
>>>
>>> in order to read an entire const table.
>>>
>>> Usually, it doesn't require any special privilege to call this ioctl,
>>> but, even if someone changes its permission to 0x400, a simple lsusb
>>> output is enough to know what hardware model is there. A lsmod
>>> or cat /proc/modules) also tells that the tm6000 module was loaded,
>>> with is a very good hint that the tm6000 is there or was there in the
>>> past.
>>>
>>> In the specific case of tm6000, all hardware supports exactly the
>>> same formats, as this is usually defined per-driver. So, a quick look
>>> at the driver is enough to know exactly what the ioctl would answer.
>>> Also, the net is full of other resources that would allow anyone
>>> to get the supported formats for a piece of hardware.
>>>
>>> Even assuming that the OS doesn't have lsusb, that /proc is not
>>> mounted, that /dev/video0 require special permissions, that the
>>> potential attacker doesn't have physical access to the equipment (in
>>> order to see if an USB board is plugged), etc... What possible harm
>>> he could do by identifying a hardware feature?
>>>
>>> Similar notes for the other patches to drivers/media in this
>>> series: let's not just start adding bloatware where not needed.
>>>
>>> Please notice that I'm fine if you want to submit potential
>>> Spectre variant 1 fixups, but if you're willing to do so,
>>> please provide an explanation about the potential threat scenarios
>>> that you're identifying at the code.
>>>
>>> Dan,
>>>
>>> It probably makes sense to have somewhere at smatch a place where
>>> we could explicitly mark the false-positives, in order to avoid
>>> use to receive patches that would just add an extra delay where
>>> it is not needed.
>>>    
>> I see I've missed some obvious things that you've pointed out here. I'll
>> mark these warnings as False Positives and take your points into account
>> for the analysis of the rest of the Spectre issues reported by Smatch.
> 
> Thanks, I 'll mark this series as rejected at patchwork.linuxtv.org.
> Please feel free to resubmit any patch if they represent a real
> threat, adding a corresponding description about the threat scenario
> at the body of the e-mail.
> 

Yeah. I got it.

>> Sorry for the noise and thanks for the feedback.
> 
> Anytime.
> 

Much appreciated. :)

Thanks
--
Gustavo