| Message ID | 54dea7486d296e39cdbc3e5465fb4f5d3dee92e9.1524499368.git.gustavo@embeddedor.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
diff --git a/drivers/media/platform/vimc/vimc-debayer.c b/drivers/media/platform/vimc/vimc-debayer.c index 6e10b63..bdd96bb 100644 --- a/drivers/media/platform/vimc/vimc-debayer.c +++ b/drivers/media/platform/vimc/vimc-debayer.c @@ -24,6 +24,8 @@ #include "vimc-common.h" +#include <linux/nospec.h> + #define VIMC_DEB_DRV_NAME "vimc-debayer" static unsigned int deb_mean_win_size = 3; @@ -178,7 +180,8 @@ static int vimc_deb_enum_mbus_code(struct v4l2_subdev *sd, } else { if (code->index >= ARRAY_SIZE(vimc_deb_pix_map_list)) return -EINVAL; - + code->index = array_index_nospec(code->index, + ARRAY_SIZE(vimc_deb_pix_map_list)); code->code = vimc_deb_pix_map_list[code->index].code; }
code->index can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. Smatch warning: drivers/media/platform/vimc/vimc-debayer.c:182 vimc_deb_enum_mbus_code() warn: potential spectre issue 'vimc_deb_pix_map_list' Fix this by sanitizing code->index before using it to index vimc_deb_pix_map_list. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> --- drivers/media/platform/vimc/vimc-debayer.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)