From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
To: "Martin Tůma" <tumic@gpxsee.org>
Cc: Hans Verkuil <hverkuil@xs4all.nl>,
Martin Tuma <martin.tuma@digiteqautomotive.com>,
linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH 05/13] media: mgb4: protect driver against spectre
Date: Fri, 18 Oct 2024 06:32:09 +0200 [thread overview]
Message-ID: <20241018063209.69a76bb1@foz.lan> (raw)
In-Reply-To: <b5fcb290-5374-4ff3-b74c-a1bd3c802ef0@gpxsee.org>
Em Wed, 16 Oct 2024 13:59:18 +0200
Martin Tůma <tumic@gpxsee.org> escreveu:
> On 16. 10. 24 12:22 odp., Mauro Carvalho Chehab wrote:
> > Frequency range is set from sysfs via frequency_range_store(),
> > being vulnerable to spectre, as reported by smatch:
> >
> > drivers/media/pci/mgb4/mgb4_cmt.c:231 mgb4_cmt_set_vin_freq_range() warn: potential spectre issue 'cmt_vals_in' [r]
> > drivers/media/pci/mgb4/mgb4_cmt.c:238 mgb4_cmt_set_vin_freq_range() warn: possible spectre second half. 'reg_set'
> >
> > Fix it.
> >
> > Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> > ---
> > drivers/media/pci/mgb4/mgb4_cmt.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/media/pci/mgb4/mgb4_cmt.c b/drivers/media/pci/mgb4/mgb4_cmt.c
> > index 70dc78ef193c..a25b68403bc6 100644
> > --- a/drivers/media/pci/mgb4/mgb4_cmt.c
> > +++ b/drivers/media/pci/mgb4/mgb4_cmt.c
> > @@ -227,6 +227,8 @@ void mgb4_cmt_set_vin_freq_range(struct mgb4_vin_dev *vindev,
> > u32 config;
> > size_t i;
> >
> > + freq_range = array_index_nospec(freq_range, ARRAY_SIZE(cmt_vals_in));
> > +
> > addr = cmt_addrs_in[vindev->config->id];
> > reg_set = cmt_vals_in[freq_range];
> >
>
> I still do not fully understand the exact vulnerability here, but the
> patch should definitely not do any harm, so I'm ok with it even if it's
> real purpose would only be to silence the smatch warning :-)
With Spectre, just checking if freq_range is between 0 and the
size of the array is not enough, as malicious code could use CPU
speculative logic to retrieve data from memory outside the limits
of the array.
As freq_range is specified by the user via sysfs attribute
frequency_range, it is subject to Spectre v1 attack as described
at Documentation/admin-guide/hw-vuln/spectre.rst.
Silencing smatch is a plus.
>
> Reviewed-by: Martin Tůma <martin.tuma@digiteqautomotive.com>
Thanks!
Thanks,
Mauro
next prev parent reply other threads:[~2024-10-18 4:32 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-16 10:22 [PATCH 00/13] Media: fix several issues on drivers Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 01/13] media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() Mauro Carvalho Chehab
2024-10-16 10:56 ` Hans Verkuil
2024-10-16 10:22 ` [PATCH 02/13] media: v4l2-tpg: prevent the risk of a division by zero Mauro Carvalho Chehab
2024-10-16 10:49 ` Hans Verkuil
2024-10-16 10:22 ` [PATCH 03/13] media: dvbdev: prevent the risk of out of memory access Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 04/13] media: dvb_frontend: don't play tricks with underflow values Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 05/13] media: mgb4: protect driver against spectre Mauro Carvalho Chehab
2024-10-16 11:59 ` Martin Tůma
2024-10-18 4:32 ` Mauro Carvalho Chehab [this message]
2024-10-18 11:21 ` Martin Tůma
2024-10-16 10:22 ` [PATCH 06/13] media: av7110: fix a spectre vulnerability Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows Mauro Carvalho Chehab
2024-10-17 10:34 ` Jacek Anaszewski
2024-10-16 10:22 ` [PATCH 08/13] media: ar0521: don't overflow when checking PLL values Mauro Carvalho Chehab
2024-10-16 12:57 ` Sakari Ailus
2024-10-16 10:22 ` [PATCH 09/13] media: cx24116: prevent overflows on SNR calculus Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 10/13] media: adv7604 prevent underflow condition when reporting colorspace Mauro Carvalho Chehab
2024-10-16 10:57 ` Hans Verkuil
2024-10-16 11:24 ` Mauro Carvalho Chehab
2024-10-16 11:58 ` Hans Verkuil
2024-10-18 5:01 ` Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 11/13] media: stb0899_algo: initialize cfr before using it Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 12/13] media: cec: extron-da-hd-4k-plus: don't use -1 as an error code Mauro Carvalho Chehab
2024-10-16 10:36 ` Hans Verkuil
2024-10-16 10:22 ` [PATCH 13/13] media: pulse8-cec: fix data timestamp at pulse8_setup() Mauro Carvalho Chehab
2024-10-16 10:40 ` Hans Verkuil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241018063209.69a76bb1@foz.lan \
--to=mchehab+huawei@kernel.org \
--cc=hverkuil@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=martin.tuma@digiteqautomotive.com \
--cc=stable@vger.kernel.org \
--cc=tumic@gpxsee.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.