fmt->index can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. Smatch warning: drivers/media/platform/sh_vou.c:407 sh_vou_enum_fmt_vid_out() warn: potential spectre issue 'vou_fmt' Fix this by sanitizing fmt->index before using it to index vou_fmt. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@xxxxxxxxxxxxxxx Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx> --- drivers/media/platform/sh_vou.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/platform/sh_vou.c b/drivers/media/platform/sh_vou.c index 4dccf29..58d8645 100644 --- a/drivers/media/platform/sh_vou.c +++ b/drivers/media/platform/sh_vou.c @@ -30,6 +30,8 @@ #include <media/videobuf2-v4l2.h> #include <media/videobuf2-dma-contig.h> +#include <linux/nospec.h> + /* Mirror addresses are not available for all registers */ #define VOUER 0 #define VOUCR 4 @@ -398,6 +400,7 @@ static int sh_vou_enum_fmt_vid_out(struct file *file, void *priv, if (fmt->index >= ARRAY_SIZE(vou_fmt)) return -EINVAL; + fmt->index = array_index_nospec(fmt->index, ARRAY_SIZE(vou_fmt)); dev_dbg(vou_dev->v4l2_dev.dev, "%s()\n", __func__); -- 2.7.4
