From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
To: "Martin Tůma" <tumic@gpxsee.org>
Cc: Hans Verkuil <hverkuil@xs4all.nl>,
Martin Tuma <martin.tuma@digiteqautomotive.com>,
linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH 05/13] media: mgb4: protect driver against spectre
Date: Fri, 18 Oct 2024 06:32:09 +0200 [thread overview]
Message-ID: <20241018063209.69a76bb1@foz.lan> (raw)
In-Reply-To: <b5fcb290-5374-4ff3-b74c-a1bd3c802ef0@gpxsee.org>
Em Wed, 16 Oct 2024 13:59:18 +0200
Martin Tůma <tumic@gpxsee.org> escreveu:
> On 16. 10. 24 12:22 odp., Mauro Carvalho Chehab wrote:
> > Frequency range is set from sysfs via frequency_range_store(),
> > being vulnerable to spectre, as reported by smatch:
> >
> > drivers/media/pci/mgb4/mgb4_cmt.c:231 mgb4_cmt_set_vin_freq_range() warn: potential spectre issue 'cmt_vals_in' [r]
> > drivers/media/pci/mgb4/mgb4_cmt.c:238 mgb4_cmt_set_vin_freq_range() warn: possible spectre second half. 'reg_set'
> >
> > Fix it.
> >
> > Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> > ---
> > drivers/media/pci/mgb4/mgb4_cmt.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/media/pci/mgb4/mgb4_cmt.c b/drivers/media/pci/mgb4/mgb4_cmt.c
> > index 70dc78ef193c..a25b68403bc6 100644
> > --- a/drivers/media/pci/mgb4/mgb4_cmt.c
> > +++ b/drivers/media/pci/mgb4/mgb4_cmt.c
> > @@ -227,6 +227,8 @@ void mgb4_cmt_set_vin_freq_range(struct mgb4_vin_dev *vindev,
> > u32 config;
> > size_t i;
> >
> > + freq_range = array_index_nospec(freq_range, ARRAY_SIZE(cmt_vals_in));
> > +
> > addr = cmt_addrs_in[vindev->config->id];
> > reg_set = cmt_vals_in[freq_range];
> >
>
> I still do not fully understand the exact vulnerability here, but the
> patch should definitely not do any harm, so I'm ok with it even if it's
> real purpose would only be to silence the smatch warning :-)
With Spectre, just checking if freq_range is between 0 and the
size of the array is not enough, as malicious code could use CPU
speculative logic to retrieve data from memory outside the limits
of the array.
As freq_range is specified by the user via sysfs attribute
frequency_range, it is subject to Spectre v1 attack as described
at Documentation/admin-guide/hw-vuln/spectre.rst.
Silencing smatch is a plus.
>
> Reviewed-by: Martin Tůma <martin.tuma@digiteqautomotive.com>
Thanks!
Thanks,
Mauro
next prev parent reply other threads:[~2024-10-18 4:32 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1729074076.git.mchehab+huawei@kernel.org>
2024-10-16 10:22 ` [PATCH 01/13] media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() Mauro Carvalho Chehab
2024-10-16 10:56 ` Hans Verkuil
2024-10-16 10:22 ` [PATCH 02/13] media: v4l2-tpg: prevent the risk of a division by zero Mauro Carvalho Chehab
2024-10-16 10:49 ` Hans Verkuil
2024-10-16 10:22 ` [PATCH 03/13] media: dvbdev: prevent the risk of out of memory access Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 04/13] media: dvb_frontend: don't play tricks with underflow values Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 05/13] media: mgb4: protect driver against spectre Mauro Carvalho Chehab
2024-10-16 11:59 ` Martin Tůma
2024-10-18 4:32 ` Mauro Carvalho Chehab [this message]
2024-10-18 11:21 ` Martin Tůma
2024-10-16 10:22 ` [PATCH 06/13] media: av7110: fix a spectre vulnerability Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows Mauro Carvalho Chehab
2024-10-17 10:34 ` Jacek Anaszewski
2024-10-16 10:22 ` [PATCH 08/13] media: ar0521: don't overflow when checking PLL values Mauro Carvalho Chehab
2024-10-16 12:57 ` Sakari Ailus
2024-10-16 10:22 ` [PATCH 09/13] media: cx24116: prevent overflows on SNR calculus Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 10/13] media: adv7604 prevent underflow condition when reporting colorspace Mauro Carvalho Chehab
2024-10-16 10:57 ` Hans Verkuil
2024-10-16 11:24 ` Mauro Carvalho Chehab
2024-10-16 11:58 ` Hans Verkuil
2024-10-18 5:01 ` Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 11/13] media: stb0899_algo: initialize cfr before using it Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 12/13] media: cec: extron-da-hd-4k-plus: don't use -1 as an error code Mauro Carvalho Chehab
2024-10-16 10:36 ` Hans Verkuil
2024-10-16 10:22 ` [PATCH 13/13] media: pulse8-cec: fix data timestamp at pulse8_setup() Mauro Carvalho Chehab
2024-10-16 10:40 ` Hans Verkuil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241018063209.69a76bb1@foz.lan \
--to=mchehab+huawei@kernel.org \
--cc=hverkuil@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=martin.tuma@digiteqautomotive.com \
--cc=stable@vger.kernel.org \
--cc=tumic@gpxsee.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox