* [PATCH v2 00/13] Media: fix several issues on drivers
@ 2024-10-18 5:53 Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 06/13] media: av7110: fix a spectre vulnerability Mauro Carvalho Chehab
0 siblings, 1 reply; 2+ messages in thread
From: Mauro Carvalho Chehab @ 2024-10-18 5:53 UTC (permalink / raw)
Cc: Mauro Carvalho Chehab, Krzysztof Hałasa,
Andrzej Pietrasiewicz, Hans Verkuil, Jacek Anaszewski,
Martin Tuma, Mauro Carvalho Chehab, Sakari Ailus,
Sylwester Nawrocki, linux-arm-kernel, linux-kernel, linux-media,
linux-staging
There are a number of issues that aren't passing on smatch or Coverity.
Address some of them.
Mauro Carvalho Chehab (13):
media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
media: v4l2-tpg: prevent the risk of a division by zero
media: dvbdev: prevent the risk of out of memory access
media: dvb_frontend: don't play tricks with underflow values
media: mgb4: protect driver against spectre
media: av7110: fix a spectre vulnerability
media: s5p-jpeg: prevent buffer overflows
media: ar0521: don't overflow when checking PLL values
media: cx24116: prevent overflows on SNR calculus
media: adv7604: prevent underflow condition when reporting colorspace
media: stb0899_algo: initialize cfr before using it
media: cec: extron-da-hd-4k-plus: don't use -1 as an error code
media: pulse8-cec: fix data timestamp at pulse8_setup()
.../extron-da-hd-4k-plus.c | 6 ++---
drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +-
drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 +++
drivers/media/dvb-core/dvb_frontend.c | 4 +--
drivers/media/dvb-core/dvbdev.c | 17 ++++++++++--
drivers/media/dvb-frontends/cx24116.c | 7 ++++-
drivers/media/dvb-frontends/stb0899_algo.c | 2 +-
drivers/media/i2c/adv7604.c | 26 ++++++++++++-------
drivers/media/i2c/ar0521.c | 4 +--
drivers/media/pci/mgb4/mgb4_cmt.c | 2 ++
.../platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++-----
drivers/media/v4l2-core/v4l2-ctrls-api.c | 16 ++++++++----
drivers/staging/media/av7110/av7110.h | 4 ++-
drivers/staging/media/av7110/av7110_ca.c | 25 ++++++++++++------
14 files changed, 94 insertions(+), 41 deletions(-)
--
2.47.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH v2 06/13] media: av7110: fix a spectre vulnerability
2024-10-18 5:53 [PATCH v2 00/13] Media: fix several issues on drivers Mauro Carvalho Chehab
@ 2024-10-18 5:53 ` Mauro Carvalho Chehab
0 siblings, 0 replies; 2+ messages in thread
From: Mauro Carvalho Chehab @ 2024-10-18 5:53 UTC (permalink / raw)
Cc: Mauro Carvalho Chehab, Greg Kroah-Hartman, Hans Verkuil,
Mauro Carvalho Chehab, Stefan Herdler, linux-kernel, linux-media,
linux-staging, stable
As warned by smatch:
drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap)
There is a spectre-related vulnerability at the code. Fix it.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
---
drivers/staging/media/av7110/av7110.h | 4 +++-
drivers/staging/media/av7110/av7110_ca.c | 25 ++++++++++++++++--------
2 files changed, 20 insertions(+), 9 deletions(-)
diff --git a/drivers/staging/media/av7110/av7110.h b/drivers/staging/media/av7110/av7110.h
index ec461fd187af..b584754f4be0 100644
--- a/drivers/staging/media/av7110/av7110.h
+++ b/drivers/staging/media/av7110/av7110.h
@@ -88,6 +88,8 @@ struct infrared {
u32 ir_config;
};
+#define MAX_CI_SLOTS 2
+
/* place to store all the necessary device information */
struct av7110 {
/* devices */
@@ -163,7 +165,7 @@ struct av7110 {
/* CA */
- struct ca_slot_info ci_slot[2];
+ struct ca_slot_info ci_slot[MAX_CI_SLOTS];
enum av7110_video_mode vidmode;
struct dmxdev dmxdev;
diff --git a/drivers/staging/media/av7110/av7110_ca.c b/drivers/staging/media/av7110/av7110_ca.c
index 6ce212c64e5d..fce4023c9dea 100644
--- a/drivers/staging/media/av7110/av7110_ca.c
+++ b/drivers/staging/media/av7110/av7110_ca.c
@@ -26,23 +26,28 @@
void CI_handle(struct av7110 *av7110, u8 *data, u16 len)
{
+ unsigned slot_num;
+
dprintk(8, "av7110:%p\n", av7110);
if (len < 3)
return;
switch (data[0]) {
case CI_MSG_CI_INFO:
- if (data[2] != 1 && data[2] != 2)
+ if (data[2] != 1 && data[2] != MAX_CI_SLOTS)
break;
+
+ slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS);
+
switch (data[1]) {
case 0:
- av7110->ci_slot[data[2] - 1].flags = 0;
+ av7110->ci_slot[slot_num].flags = 0;
break;
case 1:
- av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT;
+ av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT;
break;
case 2:
- av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY;
+ av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY;
break;
}
break;
@@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
case CA_GET_SLOT_INFO:
{
struct ca_slot_info *info = (struct ca_slot_info *)parg;
+ unsigned int slot_num;
if (info->num < 0 || info->num > 1) {
mutex_unlock(&av7110->ioctl_mutex);
return -EINVAL;
}
- av7110->ci_slot[info->num].num = info->num;
- av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
- CA_CI_LINK : CA_CI;
- memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info));
+ slot_num = array_index_nospec(info->num, MAX_CI_SLOTS);
+
+ av7110->ci_slot[slot_num].num = info->num;
+ av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
+ CA_CI_LINK : CA_CI;
+ memcpy(info, &av7110->ci_slot[slot_num],
+ sizeof(struct ca_slot_info));
break;
}
--
2.47.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-10-18 5:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-18 5:53 [PATCH v2 00/13] Media: fix several issues on drivers Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 06/13] media: av7110: fix a spectre vulnerability Mauro Carvalho Chehab
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).