From 7dd7ad0b13eb99b650d92ea3b1a2ca170a567216 Mon Sep 17 00:00:00 2001 From: Elena Reshetova <elena.reshetova@intel.com> Date: Wed, 30 Aug 2017 13:41:27 +0300 Subject: [PATCH 144/194] uvcvideo: prevent speculative execution Since the index value in function uvc_ioctl_enum_input() seems to be controllable by userspace and later on conditionally (upon bound check) used to resolve selector->baSourceID, insert an observable speculation barrier before its usage. This should prevent observable speculation on that branch and avoid kernel memory leak. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> --- drivers/media/usb/uvc/uvc_v4l2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index 3e7e283..65175bb 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -821,6 +821,7 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh, } pin = iterm->id; } else if (index < selector->bNrInPins) { + osb(); pin = selector->baSourceID[index]; list_for_each_entry(iterm, &chain->entities, chain) { if (!UVC_ENTITY_IS_ITERM(iterm)) -- 2.9.5