uvcvideo: prevent speculative execution

Since the index value in function uvc_ioctl_enum_input()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
selector->baSourceID, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>

diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
index c4b1ac6750d8d6fb8516ce2f8dcdd06ff629b311..adad6ffe2ec1d61ace5f79319b648b36e7524588 100644 (file)
--- a/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -802,6 +802,7 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh,
                }
                pin = iterm->id;
        } else if (index < selector->bNrInPins) {
+               osb();
                pin = selector->baSourceID[index];
                list_for_each_entry(iterm, &chain->entities, chain) {
                        if (!UVC_ENTITY_IS_ITERM(iterm))