From nobody Tue Nov 26 22:36:48 2024 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D0E3206E68; Wed, 16 Oct 2024 10:22:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729074158; cv=none; b=IYOg0q7XJVOdo5jol8KgmNRG2R8grauPY/s3mXVDQ4NP315rXLfAUidWyZ9X7/LOgsWuivrqDw0eATx/pnjnwRP1NcyOJDrtYvatDeo/fXbmFrYTkSLLfeIT8KNIxLiuP05EPaRMiW0NE6UA5UlCAUmnKbpS0fz38bfoHDz31qA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729074158; c=relaxed/simple; bh=uwXxWFWVLKeBra7Pb/skSKfPY8KH3t9pzk1shDbiY6g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=odS9oX/Gzse3+13oD3jiPXdTAA1cOT1kAR/5hG4LRzsxnbxOo9N1zlXnr3YGZ8X4TrrxDsglhqascEFlap09lf+fSS7Ooa0y1Q7cg1/Go+rH79TUVVidgb2dly5lNGbSxfmzrrGLpZbV/D0f/dtHweexsB+cPJta+c3CT1X5hu4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TB8+PgGh; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TB8+PgGh" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CD9EEC4CECF; Wed, 16 Oct 2024 10:22:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1729074157; bh=uwXxWFWVLKeBra7Pb/skSKfPY8KH3t9pzk1shDbiY6g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TB8+PgGhm8QStzaRCd1VsOm0PypGd7cwX0GhD9yrP5GxTBQ3sGiscHYfpjJtTY91i AUUBJc4W9ewP33KdVWdmiGIxk/hnDIK16MmpwkayvF8WQFOT6kaS5tXZlCV2NTkImE Ox8ZNFJQsLZ3qoYv1Na2iMzT95dqZ30XoTqGpjYT6wJrj+jnjrDaBY7041HKc7w1VG 0VrTJZYfz9B6xUky/ypnSNfgrSbjhXoPoo3TObhap/fICGzkJA0n8cRgDWYzBvvj75 Mjs810tAioumlfHOK0o31ifKSM4xxUnKzjSYcSwxNl4cReenzBn0WiuA+/967KmcZC Nl3RWoN5/oQYw== Received: from mchehab by mail.kernel.org with local (Exim 4.98) (envelope-from ) id 1t11Ap-00000004Yml-2Lun; Wed, 16 Oct 2024 12:22:35 +0200 From: Mauro Carvalho Chehab To: Cc: Mauro Carvalho Chehab , Greg Kroah-Hartman , Hans Verkuil , Mauro Carvalho Chehab , Stefan Herdler , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-staging@lists.linux.dev, stable@vger.kernel.org Subject: [PATCH 06/13] media: av7110: fix a spectre vulnerability Date: Wed, 16 Oct 2024 12:22:22 +0200 Message-ID: <134996d99ff80e23fe895674cf640c9a5445798d.1729074076.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.47.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab Content-Type: text/plain; charset="utf-8" As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potentia= l spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Mauro Carvalho Chehab --- drivers/staging/media/av7110/av7110.h | 4 +++- drivers/staging/media/av7110/av7110_ca.c | 25 ++++++++++++++++-------- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/drivers/staging/media/av7110/av7110.h b/drivers/staging/media/= av7110/av7110.h index ec461fd187af..b584754f4be0 100644 --- a/drivers/staging/media/av7110/av7110.h +++ b/drivers/staging/media/av7110/av7110.h @@ -88,6 +88,8 @@ struct infrared { u32 ir_config; }; =20 +#define MAX_CI_SLOTS 2 + /* place to store all the necessary device information */ struct av7110 { /* devices */ @@ -163,7 +165,7 @@ struct av7110 { =20 /* CA */ =20 - struct ca_slot_info ci_slot[2]; + struct ca_slot_info ci_slot[MAX_CI_SLOTS]; =20 enum av7110_video_mode vidmode; struct dmxdev dmxdev; diff --git a/drivers/staging/media/av7110/av7110_ca.c b/drivers/staging/med= ia/av7110/av7110_ca.c index 6ce212c64e5d..fce4023c9dea 100644 --- a/drivers/staging/media/av7110/av7110_ca.c +++ b/drivers/staging/media/av7110/av7110_ca.c @@ -26,23 +26,28 @@ =20 void CI_handle(struct av7110 *av7110, u8 *data, u16 len) { + unsigned slot_num; + dprintk(8, "av7110:%p\n", av7110); =20 if (len < 3) return; switch (data[0]) { case CI_MSG_CI_INFO: - if (data[2] !=3D 1 && data[2] !=3D 2) + if (data[2] !=3D 1 && data[2] !=3D MAX_CI_SLOTS) break; + + slot_num =3D array_index_nospec(data[2] - 1, MAX_CI_SLOTS); + switch (data[1]) { case 0: - av7110->ci_slot[data[2] - 1].flags =3D 0; + av7110->ci_slot[slot_num].flags =3D 0; break; case 1: - av7110->ci_slot[data[2] - 1].flags |=3D CA_CI_MODULE_PRESENT; + av7110->ci_slot[slot_num].flags |=3D CA_CI_MODULE_PRESENT; break; case 2: - av7110->ci_slot[data[2] - 1].flags |=3D CA_CI_MODULE_READY; + av7110->ci_slot[slot_num].flags |=3D CA_CI_MODULE_READY; break; } break; @@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *file, unsigned i= nt cmd, void *parg) case CA_GET_SLOT_INFO: { struct ca_slot_info *info =3D (struct ca_slot_info *)parg; + unsigned int slot_num; =20 if (info->num < 0 || info->num > 1) { mutex_unlock(&av7110->ioctl_mutex); return -EINVAL; } - av7110->ci_slot[info->num].num =3D info->num; - av7110->ci_slot[info->num].type =3D FW_CI_LL_SUPPORT(av7110->arm_app) ? - CA_CI_LINK : CA_CI; - memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info)); + slot_num =3D array_index_nospec(info->num, MAX_CI_SLOTS); + + av7110->ci_slot[slot_num].num =3D info->num; + av7110->ci_slot[slot_num].type =3D FW_CI_LL_SUPPORT(av7110->arm_app) ? + CA_CI_LINK : CA_CI; + memcpy(info, &av7110->ci_slot[slot_num], + sizeof(struct ca_slot_info)); break; } =20 --=20 2.47.0