media: dvb_ca_en50221: prevent using slot_info for Spectre attacs

slot can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability, as warned by smatch: drivers/media/dvb-core/dvb_ca_en50221.c:1479 dvb_ca_en50221_io_write() warn: potential spectre issue 'ca->slot_info' (local cap) Acked-by: "Jasmin J." <jasmin@anw.at> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

media: dvb_ca_en50221: prevent using slot_info for Spectre attacs
slot can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability, as warned by smatch: drivers/media/dvb-core/dvb_ca_en50221.c:1479 dvb_ca_en50221_io_write() warn: potential spectre issue 'ca->slot_info' (local cap) Acked-by: "Jasmin J." <jasmin@anw.at> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
4f5ab5d7 · Mauro Carvalho Chehab · 782b9d20 · 4f5ab5d7
Commit 4f5ab5d7 authored May 15, 2018 by Mauro Carvalho Chehab
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

drivers/media/dvb-core/dvb_ca_en50221.c drivers/media/dvb-core/dvb_ca_en50221.c +2 -0

No files found.
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -31,6 +31,7 @@
 #include <linux/slab.h>
 #include <linux/list.h>
 #include <linux/module.h>
+#include <linux/nospec.h>
 #include <linux/vmalloc.h>
 #include <linux/delay.h>
 #include <linux/spinlock.h>
@@ -1476,6 +1477,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file,

 	if (slot >= ca->slot_count)
 		return -EINVAL;
+	slot = array_index_nospec(slot, ca->slot_count);
 	sl = &ca->slot_info[slot];

 	/* check if the slot is actually running */