band->index can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. Smatch warning: drivers/media/platform/vivid/vivid-sdr-cap.c:323 vivid_sdr_enum_freq_bands() warn: potential spectre issue 'bands_adc' Fix this by sanitizing band->index before using it to index bands_adc and bands_fm. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@xxxxxxxxxxxxxxx Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx> --- drivers/media/platform/vivid/vivid-sdr-cap.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/platform/vivid/vivid-sdr-cap.c b/drivers/media/platform/vivid/vivid-sdr-cap.c index cfb7cb4..684d8a2 100644 --- a/drivers/media/platform/vivid/vivid-sdr-cap.c +++ b/drivers/media/platform/vivid/vivid-sdr-cap.c @@ -22,6 +22,8 @@ #include "vivid-ctrls.h" #include "vivid-sdr-cap.h" +#include <linux/nospec.h> + /* stream formats */ struct vivid_format { u32 pixelformat; @@ -320,11 +322,15 @@ int vivid_sdr_enum_freq_bands(struct file *file, void *fh, case 0: if (band->index >= ARRAY_SIZE(bands_adc)) return -EINVAL; + band->index = array_index_nospec(band->index, + ARRAY_SIZE(bands_adc)); *band = bands_adc[band->index]; return 0; case 1: if (band->index >= ARRAY_SIZE(bands_fm)) return -EINVAL; + band->index = array_index_nospec(band->index, + ARRAY_SIZE(bands_fm)); *band = bands_fm[band->index]; return 0; default: -- 2.7.4
