f->index can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability.
Smatch warning: drivers/media/platform/rcar-vin/rcar-v4l2.c:344 rvin_enum_fmt_vid_cap() warn: potential spectre issue 'rvin_formats' Fix this by sanitizing f->index before using it to index rvin_formats. Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: sta...@vger.kernel.org Reported-by: Dan Carpenter <dan.carpen...@oracle.com> Signed-off-by: Gustavo A. R. Silva <gust...@embeddedor.com> --- drivers/media/platform/rcar-vin/rcar-v4l2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/rcar-vin/rcar-v4l2.c b/drivers/media/platform/rcar-vin/rcar-v4l2.c index b479b88..bbfc3b8 100644 --- a/drivers/media/platform/rcar-vin/rcar-v4l2.c +++ b/drivers/media/platform/rcar-vin/rcar-v4l2.c @@ -22,6 +22,8 @@ #include "rcar-vin.h" +#include <linux/nospec.h> + #define RVIN_DEFAULT_FORMAT V4L2_PIX_FMT_YUYV #define RVIN_MAX_WIDTH 2048 #define RVIN_MAX_HEIGHT 2048 @@ -340,7 +342,7 @@ static int rvin_enum_fmt_vid_cap(struct file *file, void *priv, { if (f->index >= ARRAY_SIZE(rvin_formats)) return -EINVAL; - + f->index = array_index_nospec(f->index, ARRAY_SIZE(rvin_formats)); f->pixelformat = rvin_formats[f->index].fourcc; return 0; -- 2.7.4
