Message ID | 1690432469-14803-5-git-send-email-quic_vgarodia@quicinc.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a985:0:b0:3e4:2afc:c1 with SMTP id t5csp847385vqo; Wed, 26 Jul 2023 21:51:01 -0700 (PDT) X-Google-Smtp-Source: APBJJlFRJTvoiDORricwWR4S1TO3woKyP0E8TaS9evBmCqFqlTAmRWscMCfuYWQhD8LEyxbjmtIr X-Received: by 2002:a05:6a20:441e:b0:133:7ad8:71b5 with SMTP id ce30-20020a056a20441e00b001337ad871b5mr2217704pzb.0.1690433461055; Wed, 26 Jul 2023 21:51:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690433461; cv=none; d=google.com; s=arc-20160816; b=Ye8O2cXcyH8QfZVY8H1ovr99y/juglc/g0xfUsYj9nH1IzXIH8/2ctzaFFDXlC4no2 0O1P5ww6raLocyo0TfXGoc/BrG00AfxnpByOGTVOBNB0ZnXwqswkrEL82ghx7ZkSlZf3 lSHufZiSdN6KmTcN3YZyfOygSsEka/XU+DhYR6+5U4z05GsUOWI1XcID/3gr1O19CnMs F+s0orX7dg6GlYzlfS//gr8Sngfb+CN37teGN5Ub911BS8S1ldH656ryvsg+Zw6KEh5P ysdQIqDoQd5ZcwuutHaorI/Z3WSRm5cC/fNkYSVpvawjMvRrlZEEVy9PSi+p5EqFylOW xbpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=svPmzVI+7eFon/1ocEodK5MNmMYxEhx6SeLGE+hwf/s=; fh=GcndwOMBf1bnpW+bW+jgpNWzVvxAZNEz+Wt3jUkG7qY=; b=Ovo8R6TGXNk4H80Bh2qTm1Lt+CbITloFPVb9ZBfTV4PlDH4c/vcmcRanQ8hSVcA/BS 9qbIprWArKvLuEl7PhmscULsh2PrJc2lzXdWK+WeFc+0RIox3SMYcNIF+Rz3cXtbmJsn Qp9bQdJq2dHLvbcGtvU/m4f2B47tbKjXj2kuoUqTsTXQxYnpGeUYHcmDT8kD4b7mpKeg eI/6r+hgojOfh7Ge+8ST4rqwkREZWBYrPjKspXAax4p4I3/4J4rQ4k+z6M4svqdFXsdO tMiiUhkEqkbL+3VlfW0vUWcbpJ4mnkst8c0W7VKS7hVu/G79dhigyfiBTeNRqzQnJLta 3xxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=nA6M0slj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t12-20020a63444c000000b005639a610f7csi481130pgk.841.2023.07.26.21.50.47; Wed, 26 Jul 2023 21:51:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=nA6M0slj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231572AbjG0Efz (ORCPT <rfc822;kloczko.tomasz@gmail.com> + 99 others); Thu, 27 Jul 2023 00:35:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231367AbjG0Efo (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Thu, 27 Jul 2023 00:35:44 -0400 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 921662D4E; Wed, 26 Jul 2023 21:35:31 -0700 (PDT) Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36R3iaVD014865; Thu, 27 Jul 2023 04:35:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=qcppdkim1; bh=svPmzVI+7eFon/1ocEodK5MNmMYxEhx6SeLGE+hwf/s=; b=nA6M0sljBsdXz0X4ZJSUTF7pPeDdcQzJtFrqxnPnNpAb6x1OTVNBz+DoJ7uS3bPgtMSv T55MaxKqL4M1CipQhwB7XhwQ808JCqwxy5tANtKcciu+/bfVeKCuKADDqaChYP71878v BftnKN3cl8h2GWb2S8SM+RUnHAs1qRa4LH0M+eipG1Ghxq8SgDRUEM8iGoKrEeCzH7G8 N0jKOlRusAxwUDX9MjBOu0BmN4P5njuSQoRdGGfYpl237ZSF7bCbZv2tDdgid7AjqlCp VTiwh5bZFPwYW7hX/h4//JzgX4v5wkvOBEAbQ2T4km1U+Lv2BOoNg0zFriW9HwrV665y sQ== Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s336t1ps4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:25 +0000 Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA05.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 36R4ZOCs008336 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:24 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Wed, 26 Jul 2023 21:35:20 -0700 From: Vikash Garodia <quic_vgarodia@quicinc.com> To: <stanimir.k.varbanov@gmail.com>, <bryan.odonoghue@linaro.org>, <agross@kernel.org>, <andersson@kernel.org>, <konrad.dybcio@linaro.org>, <mchehab@kernel.org>, <hans.verkuil@cisco.com>, <tfiga@chromium.org> CC: <linux-media@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <stable@vger.kernel.org>, Vikash Garodia <quic_vgarodia@quicinc.com> Subject: [PATCH 4/4] venus: hfi_parser: Add check to keep the number of codecs within range Date: Thu, 27 Jul 2023 10:04:29 +0530 Message-ID: <1690432469-14803-5-git-send-email-quic_vgarodia@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> References: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: DxI9Z8gqI8_QxqUSDGZsv-WpMyzurp5r X-Proofpoint-GUID: DxI9Z8gqI8_QxqUSDGZsv-WpMyzurp5r X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-26_08,2023-07-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 clxscore=1015 mlxlogscore=999 adultscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307270041 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772547956539486496 X-GMAIL-MSGID: 1772547956539486496 |
Series |
Venus driver fixes to avoid possible OOB accesses
|
|
Commit Message
Vikash Garodia
July 27, 2023, 4:34 a.m. UTC
Supported codec bitmask is populated from the payload from venus firmware.
There is a possible case when all the bits in the codec bitmask is set. In
such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized.
Now while filling the caps for encoder, it can lead to access the caps
array beyong 32 index. Hence leading to OOB write.
The fix counts the supported encoder and decoder. If the count is more than
max, then it skips accessing the caps.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
---
drivers/media/platform/qcom/venus/hfi_parser.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
Comments
On 27.07.2023 06:34, Vikash Garodia wrote: > Supported codec bitmask is populated from the payload from venus firmware. > There is a possible case when all the bits in the codec bitmask is set. In > such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized. > Now while filling the caps for encoder, it can lead to access the caps > array beyong 32 index. Hence leading to OOB write. > The fix counts the supported encoder and decoder. If the count is more than > max, then it skips accessing the caps. > > Cc: stable@vger.kernel.org > Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") > Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> > --- > drivers/media/platform/qcom/venus/hfi_parser.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c > index ec73cac..651e215 100644 > --- a/drivers/media/platform/qcom/venus/hfi_parser.c > +++ b/drivers/media/platform/qcom/venus/hfi_parser.c > @@ -14,11 +14,26 @@ > typedef void (*func)(struct hfi_plat_caps *cap, const void *data, > unsigned int size); > > +static int count_setbits(u32 input) hweight_long()? Konrad
diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c index ec73cac..651e215 100644 --- a/drivers/media/platform/qcom/venus/hfi_parser.c +++ b/drivers/media/platform/qcom/venus/hfi_parser.c @@ -14,11 +14,26 @@ typedef void (*func)(struct hfi_plat_caps *cap, const void *data, unsigned int size); +static int count_setbits(u32 input) +{ + u32 count = 0; + + while (input > 0) { + if ((input & 1) == 1) + count++; + input >>= 1; + } + return count; +} + static void init_codecs(struct venus_core *core) { struct hfi_plat_caps *caps = core->caps, *cap; unsigned long bit; + if ((count_setbits(core->dec_codecs) + count_setbits(core->enc_codecs)) > MAX_CODEC_NUM) + return; + for_each_set_bit(bit, &core->dec_codecs, MAX_CODEC_NUM) { cap = &caps[core->codecs_count++]; cap->codec = BIT(bit);