tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

media: cec-pin-error-inj: avoid a false-positive Spectre detection

The current logic makes Smatch to false-detect a Spectre variant 1
vulnerability. The problem is that it initializes an u32 indirectly
from user space input.

After trying to write a fixup, after a while I realized that, in
practice, this shouldn't be a problem, as an u32 is initialized
from u8, but it took some time to discover it.

So, do some code cleanup to make it clearer for both humans
and machines about the valid range for "op".

Fix this warning:
drivers/media/cec/cec-pin-error-inj.c:170 cec_pin_error_inj_parse_line() warn: potential spectre issue 'pin->error_inj_args'

Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

Mauro Carvalho Chehab a3d71f25 6992effe

+12 -11
+12 -11
drivers/media/cec/cec-pin-error-inj.c
··· 81 81 u64 *error; 82 82 u8 *args; 83 83 bool has_op; 84 - u32 op; 84 + u8 op; 85 85 u8 mode; 86 86 u8 pos; 87 - u8 v; 88 87 89 88 p = skip_spaces(p); 90 89 token = strsep(&p, delims); ··· 145 146 comma = strchr(token, ','); 146 147 if (comma) 147 148 *comma++ = '\0'; 148 - if (!strcmp(token, "any")) 149 - op = CEC_ERROR_INJ_OP_ANY; 150 - else if (!kstrtou8(token, 0, &v)) 151 - op = v; 152 - else 149 + if (!strcmp(token, "any")) { 150 + has_op = false; 151 + error = pin->error_inj + CEC_ERROR_INJ_OP_ANY; 152 + args = pin->error_inj_args[CEC_ERROR_INJ_OP_ANY]; 153 + } else if (!kstrtou8(token, 0, &op)) { 154 + has_op = true; 155 + error = pin->error_inj + op; 156 + args = pin->error_inj_args[op]; 157 + } else { 153 158 return false; 159 + } 160 + 154 161 mode = CEC_ERROR_INJ_MODE_ONCE; 155 162 if (comma) { 156 163 if (!strcmp(comma, "off")) ··· 170 165 else 171 166 return false; 172 167 } 173 - 174 - error = pin->error_inj + op; 175 - args = pin->error_inj_args[op]; 176 - has_op = op <= 0xff; 177 168 178 169 token = strsep(&p, delims); 179 170 if (p) {