band->index can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/media/radio/si470x/radio-si470x-common.c:758 si470x_vidioc_enum_freq_bands() warn: potential spectre issue 'bands' Fix this by sanitizing band->index before using it to index `bands' Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx> --- drivers/media/radio/si470x/radio-si470x-common.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/media/radio/si470x/radio-si470x-common.c b/drivers/media/radio/si470x/radio-si470x-common.c index c40e175..e81f9aa 100644 --- a/drivers/media/radio/si470x/radio-si470x-common.c +++ b/drivers/media/radio/si470x/radio-si470x-common.c @@ -110,6 +110,10 @@ /* kernel includes */ #include "radio-si470x.h" +/* Hardening for Spectre-v1 */ +#include <linux/nospec.h> + + /************************************************************************** * Module Parameters **************************************************************************/ @@ -755,7 +759,7 @@ static int si470x_vidioc_enum_freq_bands(struct file *file, void *priv, return -EINVAL; if (band->index >= ARRAY_SIZE(bands)) return -EINVAL; - *band = bands[band->index]; + *band = bands[array_index_nospec(band->index, ARRAY_SIZE(bands))]; return 0; } -- 2.7.4
