projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 782b9d2)
media: dvb_ca_en50221: prevent using slot_info for Spectre attacs
authorMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Tue, 15 May 2018 12:31:38 +0000 (08:31 -0400)
committerMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Wed, 16 May 2018 14:17:22 +0000 (10:17 -0400)
slot can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability,
as warned by smatch:
drivers/media/dvb-core/dvb_ca_en50221.c:1479 dvb_ca_en50221_io_write() warn: potential spectre issue 'ca->slot_info' (local cap)

Acked-by: "Jasmin J." <jasmin@anw.at>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
drivers/media/dvb-core/dvb_ca_en50221.c patch | blob | history

diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index 97365a8..1310526 100644 (file)
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -31,6 +31,7 @@
 #include <linux/slab.h>
 #include <linux/list.h>
 #include <linux/module.h>
+#include <linux/nospec.h>
 #include <linux/vmalloc.h>
 #include <linux/delay.h>
 #include <linux/spinlock.h>
@@ -1476,6 +1477,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,
 
        if (slot >= ca->slot_count)
                return -EINVAL;
+       slot = array_index_nospec(slot, ca->slot_count);
        sl = &ca->slot_info[slot];
 
        /* check if the slot is actually running */
Domain: System / Kernel;