From patchwork Mon Apr 23 17:52:35 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
X-Patchwork-Id: 10357983
X-Patchwork-Delegate: geert@linux-m68k.org
Return-Path: <linux-renesas-soc-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	0BB8260209 for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Mon, 23 Apr 2018 18:14:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EF22628A6C
	for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Mon, 23 Apr 2018 18:14:21 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E24A428C01; Mon, 23 Apr 2018 18:14:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5D4A628A6C
	for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Mon, 23 Apr 2018 18:14:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932200AbeDWSOU (ORCPT
	<rfc822;patchwork-linux-renesas-soc@patchwork.kernel.org>);
	Mon, 23 Apr 2018 14:14:20 -0400
Received: from gateway31.websitewelcome.com ([192.185.144.80]:24541 "EHLO
	gateway31.websitewelcome.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S932109AbeDWSOU (ORCPT
	<rfc822;linux-renesas-soc@vger.kernel.org>);
	Mon, 23 Apr 2018 14:14:20 -0400
X-Greylist: delayed 1303 seconds by postgrey-1.27 at vger.kernel.org;
	Mon, 23 Apr 2018 14:14:20 EDT
Received: from cm10.websitewelcome.com (cm10.websitewelcome.com
	[100.42.49.4])
	by gateway31.websitewelcome.com (Postfix) with ESMTP id 2E2DF2E6F58
	for <linux-renesas-soc@vger.kernel.org>;
	Mon, 23 Apr 2018 12:52:37 -0500 (CDT)
Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP
	id AfdkfZZLR6il3Afdlfa5di; Mon, 23 Apr 2018 12:52:37 -0500
X-Authority-Reason: nr=8
Received: from [189.145.48.65] (port=49630 helo=embeddedor)
	by gator4166.hostgator.com with esmtpa (Exim 4.89_1)
	(envelope-from <gustavo@embeddedor.com>)
	id 1fAfdk-0009D4-AF; Mon, 23 Apr 2018 12:52:36 -0500
Date: Mon, 23 Apr 2018 12:52:35 -0500
From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To: Mauro Carvalho Chehab <mchehab@kernel.org>,
	linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	Dan Carpenter <dan.carpenter@oracle.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
	linux-renesas-soc@vger.kernel.org
Subject: [PATCH 11/11] vsp1_rwpf: fix potential Spectre variant 1
Message-ID: 
 <54ddd5303a6964e1295a4f5d009e683810fc3c18.1524499368.git.gustavo@embeddedor.com>
References: <cover.1524499368.git.gustavo@embeddedor.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1524499368.git.gustavo@embeddedor.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4166.hostgator.com
X-AntiAbuse: Original Domain - vger.kernel.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - embeddedor.com
X-BWhitelist: no
X-Source-IP: 189.145.48.65
X-Source-L: No
X-Exim-ID: 1fAfdk-0009D4-AF
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: (embeddedor) [189.145.48.65]:49630
X-Source-Auth: gustavo@embeddedor.com
X-Email-Count: 75
X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20=
X-Local-Domain: yes
Sender: linux-renesas-soc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-renesas-soc.vger.kernel.org>
X-Mailing-List: linux-renesas-soc@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

code->index can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

Smatch warning:
drivers/media/platform/vsp1/vsp1_rwpf.c:47 vsp1_rwpf_enum_mbus_code() warn: potential spectre issue 'codes'

Fix this by sanitizing code->index before using it to index
codes.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
 drivers/media/platform/vsp1/vsp1_rwpf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/platform/vsp1/vsp1_rwpf.c b/drivers/media/platform/vsp1/vsp1_rwpf.c
index cfd8f19..6e887be 100644
--- a/drivers/media/platform/vsp1/vsp1_rwpf.c
+++ b/drivers/media/platform/vsp1/vsp1_rwpf.c
@@ -13,6 +13,8 @@
 
 #include <media/v4l2-subdev.h>
 
+#include <linux/nospec.h>
+
 #include "vsp1.h"
 #include "vsp1_rwpf.h"
 #include "vsp1_video.h"
@@ -44,6 +46,7 @@ static int vsp1_rwpf_enum_mbus_code(struct v4l2_subdev *subdev,
 	if (code->index >= ARRAY_SIZE(codes))
 		return -EINVAL;
 
+	code->index = array_index_nospec(code->index, ARRAY_SIZE(codes));
 	code->code = codes[code->index];
 
 	return 0;