On Tue, Apr 24, 2018 at 02:47:55PM -0300, Mauro Carvalho Chehab wrote: > So, I'm wondering if are there any way to mitigate it inside the > core itself, instead of doing it on every driver, e. g. changing > v4l_enum_fmt() implementation at v4l2-ioctl. > > Ok, a "poor man" approach would be to pass the array directly to > the core and let the implementation there to implement the array > fetch logic, calling array_index_nospec() there, but I wonder if > are there any other way that won't require too much code churn. Sadly no; the whole crux is the array bound check itself. You could maybe pass around the array size to the core code and then do something like: if (f->index >= f->array_size) return -EINVAL; f->index = nospec_array_index(f->index, f->array_size); in generic code, and have all the drivers use f->index as usual, but even that would be quite a bit of code churn I guess.
