Message ID | 20221223123025.5948-1-a.burakov@rosalinux.ru |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp295228wrn; Fri, 23 Dec 2022 04:40:22 -0800 (PST) X-Google-Smtp-Source: AMrXdXurLb7e/ym4f3kCLUqFGoWN1uOKEfe2HKAc8lqxsXMeSU45P27zLwSrP4beVdO9qY8qZt/P X-Received: by 2002:a17:906:27d4:b0:7c1:337e:575b with SMTP id k20-20020a17090627d400b007c1337e575bmr7795750ejc.66.1671799222611; Fri, 23 Dec 2022 04:40:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671799222; cv=none; d=google.com; s=arc-20160816; b=X3iSQeVqrBvuwEpOlvH7yd88Ezt60osW/heF68J0ApJ7PkrJ54p3kRcEKj9ZUf5b+T 9AaeTTrAYMMPNxUqrEbr3U/Crb1IRAUxLlLNaVRgTj51b0VmEHPFt0Ah6Ums27lwj92/ pYh6ZPKe5vIw9HY9AwB8sjSnVTSD2yWBZhegDOnbYANElBIDOeca6gVyee3IzZ64Y/au YHzVKzzut45exC1O4SMWbTQ/o5/+KZi3saF2aRvIfV3fis/Q3D4N4WzMVPODni1pBZy9 7IGAI8tObaY+6465f1ia5IGUxJ/HRsfr1A990vyKAi1hLvI9M4lzWOFPdc3ZsQAfAR4k gu4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter; bh=yXHtvnOMY5eVIVGTxUflX7Ih3TxR3ASy2jfItVNcKx0=; b=xE1/cXr63AI8a80UyyPBRibTGh5RPYQWkm+SNINDqhlmDEos6DGxPaGmvhC5QCXZu4 INUylWU3I4Z9JxLPLe9vt42+tHAbI9jDhFS54aOYGr6eL4Td7ojSfMnMwhpNN+QnhNRJ vTzxwKxgK0UMgU6y5hjXb5hYG0mNTeImJg7XgG7cJ2GOyfy29bP4IJoNra8UJYs46lF+ S0Xwxxj+Hp6DLr6HALz3qQpy455AYuVZ9Wcvr1KVJV8Elquqrbnfm6J0xNSjADpDwHxl xbDLNzoKBS4rekMm3SYEVsXkw7IjTb6v80j1ASNzdGVE/Mj6BNw3x/V2CIoNbQ8+ndCG Gg/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rosalinux.ru header.s=1D4BB666-A0F1-11EB-A1A2-F53579C7F503 header.b=mENv6OhV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=rosalinux.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sc29-20020a1709078a1d00b007c1705dded9si2626462ejc.415.2022.12.23.04.39.59; Fri, 23 Dec 2022 04:40:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rosalinux.ru header.s=1D4BB666-A0F1-11EB-A1A2-F53579C7F503 header.b=mENv6OhV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=rosalinux.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235673AbiLWMa7 (ORCPT <rfc822;pacteraone@gmail.com> + 99 others); Fri, 23 Dec 2022 07:30:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229506AbiLWMa4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Fri, 23 Dec 2022 07:30:56 -0500 Received: from mail.rosalinux.ru (mail.rosalinux.ru [195.19.76.54]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56B015F63; Fri, 23 Dec 2022 04:30:48 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.rosalinux.ru (Postfix) with ESMTP id 653E1514336F; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) Received: from mail.rosalinux.ru ([127.0.0.1]) by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id zHmHr3oxIjyB; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) Received: from localhost (localhost [127.0.0.1]) by mail.rosalinux.ru (Postfix) with ESMTP id 29CBB5143372; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.rosalinux.ru 29CBB5143372 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rosalinux.ru; s=1D4BB666-A0F1-11EB-A1A2-F53579C7F503; t=1671798562; bh=yXHtvnOMY5eVIVGTxUflX7Ih3TxR3ASy2jfItVNcKx0=; h=From:To:Date:Message-Id:MIME-Version; b=mENv6OhVuLIQrPrw/2HLDk2wzdDiC/04ajhR7J2pze+AgmfpM4WGB84ugvQZBrhlC tI9v9wczKUxpQuzfAM45pHf6VEIZVP6QtQQmBwNRCIryS505WiziHpgw5vUjPq6DoJ cIm1cgYLDy4w9ljwaVV3YVx9S+hu8ba+pbU+6P//mO6qQel5tfJYK0eH2ZmxgQoWOe 8H5sUaNQsKA5/W1qHe5IK9pYn98i+E3vge4G1Had/m0/VdvG661d4znd9dqhajOHno wlOaX3RiNO3aXfJSExySeYt64W0U9JvLn6hJWk/GWP7VWkx+4OCojyw3miErZRn9c7 cOvHbHin7s5nA== X-Virus-Scanned: amavisd-new at rosalinux.ru Received: from mail.rosalinux.ru ([127.0.0.1]) by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id LenJMnkku1Ky; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) Received: from ubuntu.localdomain (unknown [144.206.93.23]) by mail.rosalinux.ru (Postfix) with ESMTPSA id B6378514336F; Fri, 23 Dec 2022 15:29:21 +0300 (MSK) From: Aleksandr Burakov <a.burakov@rosalinux.ru> To: Sakari Ailus <sakari.ailus@linux.intel.com>, Bingbu Cao <bingbu.cao@intel.com>, Tianshu Qiu <tian.shu.qiu@intel.com> Cc: Aleksandr Burakov <a.burakov@rosalinux.ru>, linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] staging: media: ipu3: buffer overflow fix in imgu_map_node Date: Fri, 23 Dec 2022 15:30:25 +0300 Message-Id: <20221223123025.5948-1-a.burakov@rosalinux.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1753008541599566692?= X-GMAIL-MSGID: =?utf-8?q?1753008541599566692?= |
Series |
staging: media: ipu3: buffer overflow fix in imgu_map_node
|
|
Commit Message
Aleksandr Burakov
Dec. 23, 2022, 12:30 p.m. UTC
If imgu_node_map[i].css_queue is not equal to css_queue
then "i" after the loop could be equal to IMGU_NODE_NUM
that is more than the border value (IMGU_NODE_NUM - 1).
So imgu_map_node() call may return IMGU_NODE_NUM that is more
than expected value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci device driver")
Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
---
drivers/staging/media/ipu3/ipu3.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Comments
Hi Aleksandr, On Fri, Dec 23, 2022 at 03:30:25PM +0300, Aleksandr Burakov wrote: > If imgu_node_map[i].css_queue is not equal to css_queue > then "i" after the loop could be equal to IMGU_NODE_NUM > that is more than the border value (IMGU_NODE_NUM - 1). > So imgu_map_node() call may return IMGU_NODE_NUM that is more > than expected value. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci device driver") > Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru> > --- > drivers/staging/media/ipu3/ipu3.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c > index 0c453b37f8c4..cb09eb3cc227 100644 > --- a/drivers/staging/media/ipu3/ipu3.c > +++ b/drivers/staging/media/ipu3/ipu3.c > @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue) > for (i = 0; i < IMGU_NODE_NUM; i++) > if (imgu_node_map[i].css_queue == css_queue) > break; > - > - return i; > + if (i < IMGU_NODE_NUM) > + return i; > + else > + return (IMGU_NODE_NUM - 1); > } > > /**************** Dummy buffers ****************/ Thanks for the patch. It would require a bug elsewhere in the driver for this to happen. If some handling for this case is added, it shouldn't be hiding the issue. One easy way could be to add WARN_ON() for this, and return some value (as you do). Zero would do equally well. I.e. return WARN_ON(i >= IMGU_NODE_NUM) ? 0 : i;
On Mon, Jan 02, 2023 at 01:41:21PM +0000, Sakari Ailus wrote: > > diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c > > index 0c453b37f8c4..cb09eb3cc227 100644 > > --- a/drivers/staging/media/ipu3/ipu3.c > > +++ b/drivers/staging/media/ipu3/ipu3.c > > @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue) > > for (i = 0; i < IMGU_NODE_NUM; i++) > > if (imgu_node_map[i].css_queue == css_queue) > > break; > > - > > - return i; > > + if (i < IMGU_NODE_NUM) > > + return i; > > + else > > + return (IMGU_NODE_NUM - 1); > > } > > > > /**************** Dummy buffers ****************/ > > Thanks for the patch. It would require a bug elsewhere in the driver for > this to happen. If some handling for this case is added, it shouldn't be > hiding the issue. > > One easy way could be to add WARN_ON() for this, and return some value (as > you do). Zero would do equally well. > > I.e. > > return WARN_ON(i >= IMGU_NODE_NUM) ? 0 : i; > I sent basically the same response but somehow my email never went through... I'm using mutt with gmail Oauth2 and msmtp and so my weekly(?) login has expired then something silently eats my outgoing emails. In this case the emails that I sent directly before and after went through so it seems like my login wasn't expired or everything would have been eaten. This Oauth2 transition has just been so frustrating. Am I the only person having trouble with it? regards, dan carpenter
diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c index 0c453b37f8c4..cb09eb3cc227 100644 --- a/drivers/staging/media/ipu3/ipu3.c +++ b/drivers/staging/media/ipu3/ipu3.c @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue) for (i = 0; i < IMGU_NODE_NUM; i++) if (imgu_node_map[i].css_queue == css_queue) break; - - return i; + if (i < IMGU_NODE_NUM) + return i; + else + return (IMGU_NODE_NUM - 1); } /**************** Dummy buffers ****************/