| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Jun 2021 14:28:27 +0200
From: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
To: unlisted-recipients:; (no To-header on input)
Cc: linuxarm@...wei.com, mauro.chehab@...wei.com,
Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
Hans Verkuil <hverkuil-cisco@...all.nl>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
linux-kernel@...r.kernel.org, linux-media@...r.kernel.org
Subject: [PATCH 01/11] media: dvb_ca_en50221: avoid speculation from CA slot
As warned by smatch:
drivers/media/dvb-core/dvb_ca_en50221.c:1392 dvb_ca_en50221_io_do_ioctl() warn: potential spectre issue 'ca->slot_info' [r] (local cap)
There's a potential of using a CAM ioctl for speculation.
The risk here is minimum, as only a small subset of DVB
boards have CI, with a CAM module installed. Also, exploiting
it would require an user capable of starting a DVB application.
There are probably a lot of easier ways to try to exploit.
Yet, it doesn't harm addressing it.
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
---
drivers/media/dvb-core/dvb_ca_en50221.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index b7e4a3371176..15a08d8c69ef 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -1386,6 +1386,7 @@ static int dvb_ca_en50221_io_do_ioctl(struct file *file,
err = -EINVAL;
goto out_unlock;
}
+ slot = array_index_nospec(slot, ca->slot_count);
info->type = CA_CI_LINK;
info->flags = 0;
--
2.31.1
Powered by blists - more mailing lists