-
Mauro Carvalho Chehab authored
The implementation for FE_SET_PROPERTY/FE_GET_PROPERTY has a debug code that might be explored via spectre. Improve the logic in order to mitigate such risk. It should be noticed that, before this patch, the logic which implements FE_GET_PROPERTY doesn't check the length passed by the user, which might lead to expose some information. This is probably not exploitable, though, as the frontend drivers won't rely on the buffer length value set by userspace, but it helps to return a valid value back to userspace. The code was changed to only try to access an array based on userspace values only when DVB debug is turned on, helping to reduce the attack surface, as a speculation attack would work only if DVB dev_dbg() macros are enabled, which is usually enabled only on test Kernels or by the root user. As a side effect, a const array size can now be reduced by ~570 bytes, as it now needs to contain just the name of each DTV command. Signed-off-by:Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Mauro Carvalho Chehab authoredThe implementation for FE_SET_PROPERTY/FE_GET_PROPERTY has a debug code that might be explored via spectre. Improve the logic in order to mitigate such risk. It should be noticed that, before this patch, the logic which implements FE_GET_PROPERTY doesn't check the length passed by the user, which might lead to expose some information. This is probably not exploitable, though, as the frontend drivers won't rely on the buffer length value set by userspace, but it helps to return a valid value back to userspace. The code was changed to only try to access an array based on userspace values only when DVB debug is turned on, helping to reduce the attack surface, as a speculation attack would work only if DVB dev_dbg() macros are enabled, which is usually enabled only on test Kernels or by the root user. As a side effect, a const array size can now be reduced by ~570 bytes, as it now needs to contain just the name of each DTV command. Signed-off-by:
Loading