Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a3d71f25 authored by Mauro Carvalho Chehab's avatar Mauro Carvalho Chehab
Browse files

media: cec-pin-error-inj: avoid a false-positive Spectre detection 



The current logic makes Smatch to false-detect a Spectre variant 1
vulnerability. The problem is that it initializes an u32 indirectly
from user space input.

After trying to write a fixup, after a while I realized that, in
practice, this shouldn't be a problem, as an u32 is initialized
from u8, but it took some time to discover it.

So, do some code cleanup to make it clearer for both humans
and machines about the valid range for "op".

Fix this warning:
	drivers/media/cec/cec-pin-error-inj.c:170 cec_pin_error_inj_parse_line() warn: potential spectre issue 'pin->error_inj_args'

Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
parent 6992effe

drivers/media/cec/cec-pin-error-inj.c

+12 −11
Original line number Diff line number Diff line
@@ -81,10 +81,9 @@ bool cec_pin_error_inj_parse_line(struct cec_adapter *adap, char *line) 
	u64 *error;

	u8 *args;

	bool has_op;

	u32 op;

	u8 op;

	u8 mode;

	u8 pos;

	u8 v;



	p = skip_spaces(p);

	token = strsep(&p, delims);
@@ -146,12 +145,18 @@ bool cec_pin_error_inj_parse_line(struct cec_adapter *adap, char *line) 
	comma = strchr(token, ',');

	if (comma)

		*comma++ = '\0';

	if (!strcmp(token, "any"))

		op = CEC_ERROR_INJ_OP_ANY;

	else if (!kstrtou8(token, 0, &v))

		op = v;

	else

	if (!strcmp(token, "any")) {

		has_op = false;

		error = pin->error_inj + CEC_ERROR_INJ_OP_ANY;

		args = pin->error_inj_args[CEC_ERROR_INJ_OP_ANY];

	} else if (!kstrtou8(token, 0, &op)) {

		has_op = true;

		error = pin->error_inj + op;

		args = pin->error_inj_args[op];

	} else {

		return false;

	}



	mode = CEC_ERROR_INJ_MODE_ONCE;

	if (comma) {

		if (!strcmp(comma, "off"))
@@ -166,10 +171,6 @@ bool cec_pin_error_inj_parse_line(struct cec_adapter *adap, char *line) 
			return false;

	}



	error = pin->error_inj + op;

	args = pin->error_inj_args[op];

	has_op = op <= 0xff;



	token = strsep(&p, delims);

	if (p) {

		p = skip_spaces(p);