diff options
author | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2018-05-15 15:31:38 +0300 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2018-05-16 17:17:22 +0300 |
commit | 4f5ab5d7a5e765ad231a132f82cec71de88b9aad (patch) | |
tree | 9a326c770e388b1b2ddc19dcc109fe299d8a5dac | |
parent | 782b9d201112ae526a823ddba522c88c761585c7 (diff) | |
download | linux-4f5ab5d7a5e765ad231a132f82cec71de88b9aad.tar.xz |
media: dvb_ca_en50221: prevent using slot_info for Spectre attacs
slot can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability,
as warned by smatch:
drivers/media/dvb-core/dvb_ca_en50221.c:1479 dvb_ca_en50221_io_write() warn: potential spectre issue 'ca->slot_info' (local cap)
Acked-by: "Jasmin J." <jasmin@anw.at>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-rw-r--r-- | drivers/media/dvb-core/dvb_ca_en50221.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c index 97365a863519..1310526b0d49 100644 --- a/drivers/media/dvb-core/dvb_ca_en50221.c +++ b/drivers/media/dvb-core/dvb_ca_en50221.c @@ -31,6 +31,7 @@ #include <linux/slab.h> #include <linux/list.h> #include <linux/module.h> +#include <linux/nospec.h> #include <linux/vmalloc.h> #include <linux/delay.h> #include <linux/spinlock.h> @@ -1476,6 +1477,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file, if (slot >= ca->slot_count) return -EINVAL; + slot = array_index_nospec(slot, ca->slot_count); sl = &ca->slot_info[slot]; /* check if the slot is actually running */ |