From patchwork Mon Apr 23 17:48:11 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
X-Patchwork-Id: 10357979
X-Patchwork-Delegate: geert@linux-m68k.org
Return-Path: <linux-renesas-soc-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A55D760225 for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Mon, 23 Apr 2018 18:13:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 95C2228A6C
	for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Mon, 23 Apr 2018 18:13:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8A75928C01; Mon, 23 Apr 2018 18:13:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6E17228A6C
	for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Mon, 23 Apr 2018 18:13:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932122AbeDWSNE (ORCPT
	<rfc822;patchwork-linux-renesas-soc@patchwork.kernel.org>);
	Mon, 23 Apr 2018 14:13:04 -0400
Received: from gateway32.websitewelcome.com ([192.185.145.171]:25817 "EHLO
	gateway32.websitewelcome.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S932109AbeDWSND (ORCPT
	<rfc822;linux-renesas-soc@vger.kernel.org>);
	Mon, 23 Apr 2018 14:13:03 -0400
X-Greylist: delayed 1490 seconds by postgrey-1.27 at vger.kernel.org;
	Mon, 23 Apr 2018 14:13:03 EDT
Received: from cm16.websitewelcome.com (cm16.websitewelcome.com
	[100.42.49.19])
	by gateway32.websitewelcome.com (Postfix) with ESMTP id CEF9D162A12
	for <linux-renesas-soc@vger.kernel.org>;
	Mon, 23 Apr 2018 12:48:12 -0500 (CDT)
Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP
	id AfZUfvHv5WCOCAfZUfqAUk; Mon, 23 Apr 2018 12:48:12 -0500
X-Authority-Reason: nr=8
Received: from [189.145.48.65] (port=49590 helo=embeddedor)
	by gator4166.hostgator.com with esmtpa (Exim 4.89_1)
	(envelope-from <gustavo@embeddedor.com>)
	id 1fAfZU-0005TB-7k; Mon, 23 Apr 2018 12:48:12 -0500
Date: Mon, 23 Apr 2018 12:48:11 -0500
From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To: Mauro Carvalho Chehab <mchehab@kernel.org>,
	linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	Dan Carpenter <dan.carpenter@oracle.com>
Cc: Ramesh Shanmugasundaram <ramesh.shanmugasundaram@bp.renesas.com>,
	linux-renesas-soc@vger.kernel.org
Subject: [PATCH 07/11] rcar_drif: fix potential Spectre variant 1
Message-ID: 
 <ad9e037eeafc9c1f04810ddcceacc8735c544e54.1524499368.git.gustavo@embeddedor.com>
References: <cover.1524499368.git.gustavo@embeddedor.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1524499368.git.gustavo@embeddedor.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4166.hostgator.com
X-AntiAbuse: Original Domain - vger.kernel.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - embeddedor.com
X-BWhitelist: no
X-Source-IP: 189.145.48.65
X-Source-L: No
X-Exim-ID: 1fAfZU-0005TB-7k
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: (embeddedor) [189.145.48.65]:49590
X-Source-Auth: gustavo@embeddedor.com
X-Email-Count: 55
X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20=
X-Local-Domain: yes
Sender: linux-renesas-soc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-renesas-soc.vger.kernel.org>
X-Mailing-List: linux-renesas-soc@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

f->index can be controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

Smatch warning:
drivers/media/platform/rcar_drif.c:909 rcar_drif_enum_fmt_sdr_cap() warn: potential spectre issue 'formats'

Fix this by sanitizing f->index before using it to index
formats.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@vger.kernel.org
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
 drivers/media/platform/rcar_drif.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/rcar_drif.c b/drivers/media/platform/rcar_drif.c
index dc7e280..2c21ec2 100644
--- a/drivers/media/platform/rcar_drif.c
+++ b/drivers/media/platform/rcar_drif.c
@@ -66,6 +66,8 @@
 #include <media/videobuf2-v4l2.h>
 #include <media/videobuf2-vmalloc.h>
 
+#include <linux/nospec.h>
+
 /* DRIF register offsets */
 #define RCAR_DRIF_SITMDR1			0x00
 #define RCAR_DRIF_SITMDR2			0x04
@@ -905,7 +907,7 @@ static int rcar_drif_enum_fmt_sdr_cap(struct file *file, void *priv,
 {
 	if (f->index >= ARRAY_SIZE(formats))
 		return -EINVAL;
-
+	f->index = array_index_nospec(f->index, ARRAY_SIZE(formats));
 	f->pixelformat = formats[f->index].pixelformat;
 
 	return 0;