From: Johannes Berg <johannes@sipsolutions.net>
To: Masashi Honma <masashi.honma@gmail.com>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH 2/2] nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds
Date: Thu, 27 Sep 2018 11:43:00 +0200 [thread overview]
Message-ID: <1538041380.14416.26.camel@sipsolutions.net> (raw)
In-Reply-To: <26b99a9d-85c1-ea9a-cb9e-0dc7bf9eb467@gmail.com> (sfid-20180927_002653_715119_DE765A63)
On Thu, 2018-09-27 at 07:26 +0900, Masashi Honma wrote:
> On 2018/09/26 18:23, Johannes Berg wrote:> I applied the first patch in
> the seies, but I don't understand why this
> > patch should be necessary.
> >
> > The value of i isn't controlled by the user, so it shouldn't need to be
> > sanitized?
> >
> > The context was *just* missing, added by me:
> >
> > for (i = 0; i < n; i++)
> > > if (last < wdev->cqm_config->rssi_thresholds[i])
> > > break;
> >
> > This loop determines i, and the user doesn't even control "last", but
> > even if they did, the possible values of i could only end up being in
> > the range 0..n-1, so no problems?
>
> The variable i could be n after the loop when this condition is not
> satisfied for all rssi_thresholds[i].
>
> >> if (last < wdev->cqm_config->rssi_thresholds[i])
> >> break;
>
> And user could control rssi_thresholds[i] by using
> NL80211_ATTR_CQM_RSSI_THOLD.
>
> For example, I could set 4 rssi_thresholds -400, -300, -200, -100.
> And then last is -34. I could get i = n = 4 after the loop.
Yes, good point, thanks for the explanation.
I'll merge this then.
johannes
prev parent reply other threads:[~2018-09-27 9:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-25 2:15 [PATCH 1/2] nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT Masashi Honma
2018-09-25 2:15 ` [PATCH 2/2] nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds Masashi Honma
2018-09-26 9:23 ` Johannes Berg
2018-09-26 22:26 ` Masashi Honma
2018-09-27 9:43 ` Johannes Berg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1538041380.14416.26.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=masashi.honma@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.