From: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> commit 458ea1c0be991573ec436aa0afa23baacfae101a upstream. As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/staging/media/av7110/av7110.h | 4 +++- drivers/staging/media/av7110/av7110_ca.c | 25 +++++++++++++++++-------- 2 files changed, 20 insertions(+), 9 deletions(-) --- a/drivers/staging/media/av7110/av7110.h +++ b/drivers/staging/media/av7110/av7110.h @@ -88,6 +88,8 @@ struct infrared { u32 ir_config; }; +#define MAX_CI_SLOTS 2 + /* place to store all the necessary device information */ struct av7110 { /* devices */ @@ -163,7 +165,7 @@ struct av7110 { /* CA */ - struct ca_slot_info ci_slot[2]; + struct ca_slot_info ci_slot[MAX_CI_SLOTS]; enum av7110_video_mode vidmode; struct dmxdev dmxdev; --- a/drivers/staging/media/av7110/av7110_ca.c +++ b/drivers/staging/media/av7110/av7110_ca.c @@ -26,23 +26,28 @@ void CI_handle(struct av7110 *av7110, u8 *data, u16 len) { + unsigned slot_num; + dprintk(8, "av7110:%p\n", av7110); if (len < 3) return; switch (data[0]) { case CI_MSG_CI_INFO: - if (data[2] != 1 && data[2] != 2) + if (data[2] != 1 && data[2] != MAX_CI_SLOTS) break; + + slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS); + switch (data[1]) { case 0: - av7110->ci_slot[data[2] - 1].flags = 0; + av7110->ci_slot[slot_num].flags = 0; break; case 1: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT; break; case 2: - av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY; + av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY; break; } break; @@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *fil case CA_GET_SLOT_INFO: { struct ca_slot_info *info = (struct ca_slot_info *)parg; + unsigned int slot_num; if (info->num < 0 || info->num > 1) { mutex_unlock(&av7110->ioctl_mutex); return -EINVAL; } - av7110->ci_slot[info->num].num = info->num; - av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? - CA_CI_LINK : CA_CI; - memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info)); + slot_num = array_index_nospec(info->num, MAX_CI_SLOTS); + + av7110->ci_slot[slot_num].num = info->num; + av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? + CA_CI_LINK : CA_CI; + memcpy(info, &av7110->ci_slot[slot_num], + sizeof(struct ca_slot_info)); break; } Patches currently in stable-queue which might be from mchehab+huawei@xxxxxxxxxx are queue-6.11/media-dvb-core-add-missing-buffer-index-check.patch queue-6.11/media-dvb_frontend-don-t-play-tricks-with-underflow-.patch queue-6.11/media-cx24116-prevent-overflows-on-snr-calculus.patch queue-6.11/media-mgb4-protect-driver-against-spectre.patch queue-6.11/media-adv7604-prevent-underflow-condition-when-repor.patch queue-6.11/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch queue-6.11/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch queue-6.11/media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch queue-6.11/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch queue-6.11/media-av7110-fix-a-spectre-vulnerability.patch queue-6.11/media-ar0521-don-t-overflow-when-checking-pll-values.patch queue-6.11/media-s5p-jpeg-prevent-buffer-overflows.patch queue-6.11/media-stb0899_algo-initialize-cfr-before-using-it.patch