@@ -110,6 +110,10 @@
/* kernel includes */
#include "radio-si470x.h"
+/* Hardening for Spectre-v1 */
+#include <linux/nospec.h>
+
+
/**************************************************************************
* Module Parameters
**************************************************************************/
@@ -755,7 +759,7 @@ static int si470x_vidioc_enum_freq_bands(struct file *file, void *priv,
return -EINVAL;
if (band->index >= ARRAY_SIZE(bands))
return -EINVAL;
- *band = bands[band->index];
+ *band = bands[array_index_nospec(band->index, ARRAY_SIZE(bands))];
return 0;
}
band->index can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/media/radio/si470x/radio-si470x-common.c:758 si470x_vidioc_enum_freq_bands() warn: potential spectre issue 'bands' Fix this by sanitizing band->index before using it to index `bands' Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> --- drivers/media/radio/si470x/radio-si470x-common.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)