diff mbox

media: dvb_ca_en50221: prevent using slot_info for Spectre attacs

Message ID ae2d6eda8cfc9db99fc4ce8d775fa7d4bf7d2068.1526388231.git.mchehab+samsung@kernel.org (mailing list archive)
State New, archived
Headers show

Commit Message

Mauro Carvalho Chehab May 15, 2018, 12:43 p.m. UTC
slot can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability,
as warned by smatch:
	drivers/media/dvb-core/dvb_ca_en50221.c:1479 dvb_ca_en50221_io_write() warn: potential spectre issue 'ca->slot_info' (local cap)

Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
---
 drivers/media/dvb-core/dvb_ca_en50221.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Jasmin J. May 15, 2018, 5:49 p.m. UTC | #1
Hi!

I can't test it currently, but I reviewed it and it looks good.
So you can add my Acked-by .

BR,
   Jasmin
diff mbox

Patch

diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index 97365a863519..1310526b0d49 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -31,6 +31,7 @@ 
 #include <linux/slab.h>
 #include <linux/list.h>
 #include <linux/module.h>
+#include <linux/nospec.h>
 #include <linux/vmalloc.h>
 #include <linux/delay.h>
 #include <linux/spinlock.h>
@@ -1476,6 +1477,7 @@  static ssize_t dvb_ca_en50221_io_write(struct file *file,
 
 	if (slot >= ca->slot_count)
 		return -EINVAL;
+	slot = array_index_nospec(slot, ca->slot_count);
 	sl = &ca->slot_info[slot];
 
 	/* check if the slot is actually running */