diff mbox series

wifi: rtlwifi: add array bounds check in rtl92d_dm_rxgain_tracking_thermalmeter()

Message ID 20250408151744.3907215-1-dmantipov@yandex.ru (mailing list archive)
State New
Delegated to: Ping-Ke Shih
Headers show
Series wifi: rtlwifi: add array bounds check in rtl92d_dm_rxgain_tracking_thermalmeter() | expand

Checks

Context Check Description
wifibot/fixes_present success Fixes tag not required for -next series
wifibot/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
wifibot/tree_selection success Guessed tree name to be wireless-next
wifibot/ynl success Generated files up to date; no warnings/errors; no diff in generated;
wifibot/build_32bit success Errors and warnings before: 0 this patch: 0
wifibot/build_allmodconfig_warn fail Errors and warnings before: 7 this patch: 9
wifibot/build_clang fail Errors and warnings before: 11 this patch: 11
wifibot/build_clang_rust success No Rust files in patch. Skipping build
wifibot/build_tools success No tools touched, skip
wifibot/check_selftest success No net selftest shell script
wifibot/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
wifibot/deprecated_api success None detected
wifibot/header_inline success No static functions without inline keyword in header files
wifibot/kdoc success Errors and warnings before: 0 this patch: 0
wifibot/source_inline success Was 0 now: 0
wifibot/verify_fixes success No Fixes tag
wifibot/verify_signedoff success Signed-off-by tag matches author and committer

Commit Message

Dmitry Antipov April 8, 2025, 3:17 p.m. UTC 
In 'rtl92d_dm_rxgain_tracking_thermalmeter()', add an extra 'index_mapping'
array bounds check and use the convenient 'array_index_nospec()' to protect
against spectre. Compile tested only.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Ping-Ke Shih April 9, 2025, 1:47 a.m. UTC | #1 
Dmitry Antipov <dmantipov@yandex.ru> wrote:
> In 'rtl92d_dm_rxgain_tracking_thermalmeter()', add an extra 'index_mapping'
> array bounds check and use the convenient 'array_index_nospec()' to protect
> against spectre. Compile tested only.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
>  drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c
> b/drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c
> index 20373ce998bf..44f1d3b40d22 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c
> @@ -139,6 +139,9 @@ static void rtl92d_dm_rxgain_tracking_thermalmeter(struct ieee80211_hw *hw)
>         u32 u4tmp;
> 
>         idx = rtlpriv->efuse.eeprom_thermalmeter - rtlpriv->dm.thermalvalue_rxgain;
> +       if (WARN_ON_ONCE(idx < 0 || idx >= ARRAY_SIZE(index_mapping)))
> +               return;

By original flow, we can ensure rtlpriv->dm.thermalvalue_rxgain must be smaller
or equal to rtlpriv->efuse.eeprom_thermalmeter, so 'idx < 0' is not possible. 

Maybe we can clamp the range within [0, RX_INDEX_MAPPING_NUM - 1] when
assigning value to rtlpriv->dm.thermalvalue_rxgain. 

> +       idx = array_index_nospec(idx, ARRAY_SIZE(index_mapping));

Does this overkill? I'm not very clear when we should use this to prevent CPU
speculates, but if this is really needed, the statements will be added
everywhere. 

>         u4tmp = index_mapping[idx] << 12;
> 
>         rtl_dbg(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD,
> --
> 2.49.0
>
diff mbox series

Patch

diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c
index 20373ce998bf..44f1d3b40d22 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192d/dm_common.c
@@ -139,6 +139,9 @@  static void rtl92d_dm_rxgain_tracking_thermalmeter(struct ieee80211_hw *hw)
 	u32 u4tmp;
 
 	idx = rtlpriv->efuse.eeprom_thermalmeter - rtlpriv->dm.thermalvalue_rxgain;
+	if (WARN_ON_ONCE(idx < 0 || idx >= ARRAY_SIZE(index_mapping)))
+		return;
+	idx = array_index_nospec(idx, ARRAY_SIZE(index_mapping));
 	u4tmp = index_mapping[idx] << 12;
 
 	rtl_dbg(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD,