Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4005016imm; Mon, 6 Aug 2018 14:52:55 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe4ijUl3C2KR2slpQ+BNjG9Nn0Xi+Kz//FRvEvsi9ALrzY9+0U+G5sZwfZI5QaYXWLH/j9G X-Received: by 2002:a17:902:28e4:: with SMTP id f91-v6mr15453856plb.70.1533592375678; Mon, 06 Aug 2018 14:52:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533592375; cv=none; d=google.com; s=arc-20160816; b=vYKiirZ3lUBnp9WXg5uVuRyMuqJ8G0GVMTqoSy4cHlnfOzTqYWk9AZrj7Lm/qUfkyN XZWfAhhFjFbp4opHndiBcT+UbPAloVQ29zx95/Ftm7sWzHUjtnEHFU2RJQus2gTMQomu Ze3qc000Q+jlZ9stwgKw43t4Z/heAWszPS+z9Ynwe8zLz/dkaOWN3e+6vnIzlcz66L7O GQF58UbwBXZB17oga03ShzQmQUAufauCtqQMMbiasUpK8loBqPDEN/Ru43DaVPJ0KA5h 6vebCJOhzVdgH2g5x8wMFExYQ5BJqWp5ehTeBniUKCY1T44EUrPbGW6UPP1AQ89/QYFp TWYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dkim-signature:arc-authentication-results; bh=VVu27QgRrDqqXEemFvXLNLBPpTLL0SlKgFZNWBKfZUM=; b=d9DxnLja+1do+CfXv1HiCNwxAPWISw1U3yPJqeHOjV1aFrUk8V4LPsfxe5B9Wl7E+z 3kR0iv6C8koPw7VPW6KSFUrdjE7DUT3FIEJan+G0MNW93tyYCQj8bJ2yZZYP71WIQxNE jf4Id5gSis4tZdGwRHx5sQoz/cDmPAxUKWYPCmiig/0nW4Q/YVRCzIydfYWoHeKGtKzj U9TtItB0tv0knL9WeqscKZqvF1iyZzHKNHAbE1LPOnH3J+5zW6OdUyMNe2PyhPQ9m3Zs b57dKHxRSuHutzmVEZWRhua4Yq6T40vmXKEwkOldAPmsVXS47s+Q9HA1FNa0+hur2wTX XgVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=P0QppyQY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u5-v6si15462045pfl.87.2018.08.06.14.52.17; Mon, 06 Aug 2018 14:52:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=P0QppyQY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387447AbeHFXvM (ORCPT + 99 others); Mon, 6 Aug 2018 19:51:12 -0400 Received: from perceval.ideasonboard.com ([213.167.242.64]:45382 "EHLO perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727665AbeHFXvM (ORCPT ); Mon, 6 Aug 2018 19:51:12 -0400 Received: from avalon.localnet (dfj612ybrt5fhg77mgycy-3.rev.dnainternet.fi [IPv6:2001:14ba:21f5:5b00:2e86:4862:ef6a:2804]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 5C43257; Mon, 6 Aug 2018 23:40:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1533591609; bh=wTgZmjIkEESRO1pRrhjgTKArOz4ueugGiH2JKoRENeI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=P0QppyQYHUaTJjP3Sf0wxIB57quIaIkt5A2cH905hOajTo9+wlLcadsp3yn8DK6Ef 3TBUeBMizhlgdSiBTw2J8P+ynlYXSYrBOBs68TTOcQ6hReVETRbL4YClA5fUDalhRx X12H/gMp+dXXHNTIvnDwSKi0X1iDC1OkHAcgDick= From: Laurent Pinchart To: Dan Williams Cc: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, alan@linux.intel.com, kernel-hardening@lists.openwall.com, tglx@linutronix.de, Mauro Carvalho Chehab , torvalds@linux-foundation.org, akpm@linux-foundation.org, Elena Reshetova , linux-media@vger.kernel.org Subject: Re: [PATCH v2 14/19] [media] uvcvideo: prevent bounds-check bypass via speculative execution Date: Tue, 07 Aug 2018 00:40:52 +0300 Message-ID: <1624792.F9dcxCXkCx@avalon> Organization: Ideas on Board Oy In-Reply-To: <151571806069.27429.6683179525235570687.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151571798296.27429.7166552848688034184.stgit@dwillia2-desk3.amr.corp.intel.com> <151571806069.27429.6683179525235570687.stgit@dwillia2-desk3.amr.corp.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Dan, Thank you for the patch. On Friday, 12 January 2018 02:47:40 EEST Dan Williams wrote: > Static analysis reports that 'index' may be a user controlled value that > is used as a data dependency to read 'pin' from the > 'selector->baSourceID' array. In order to avoid potential leaks of > kernel memory values, block speculative execution of the instruction > stream that could issue reads based on an invalid value of 'pin'. > > Based on an original patch by Elena Reshetova. > > Laurent notes: > > "...as this is nowhere close to being a fast path, I think we can close > this potential hole as proposed in the patch" > > Cc: Mauro Carvalho Chehab > Cc: linux-media@vger.kernel.org > Reviewed-by: Laurent Pinchart > Signed-off-by: Elena Reshetova > Signed-off-by: Dan Williams What's the status of this series (and of this patch in particular) ? > --- > drivers/media/usb/uvc/uvc_v4l2.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/usb/uvc/uvc_v4l2.c > b/drivers/media/usb/uvc/uvc_v4l2.c index 3e7e283a44a8..30ee200206ee 100644 > --- a/drivers/media/usb/uvc/uvc_v4l2.c > +++ b/drivers/media/usb/uvc/uvc_v4l2.c > @@ -22,6 +22,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -809,8 +810,12 @@ static int uvc_ioctl_enum_input(struct file *file, void > *fh, const struct uvc_entity *selector = chain->selector; > struct uvc_entity *iterm = NULL; > u32 index = input->index; > + __u8 *elem = NULL; > int pin = 0; > > + if (selector) > + elem = array_ptr(selector->baSourceID, index, > + selector->bNrInPins); > if (selector == NULL || > (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) { > if (index != 0) > @@ -820,8 +825,8 @@ static int uvc_ioctl_enum_input(struct file *file, void > *fh, break; > } > pin = iterm->id; > - } else if (index < selector->bNrInPins) { > - pin = selector->baSourceID[index]; > + } else if (elem) { > + pin = *elem; > list_for_each_entry(iterm, &chain->entities, chain) { > if (!UVC_ENTITY_IS_ITERM(iterm)) > continue; -- Regards, Laurent Pinchart