| Message ID | 20230328100951.536955-1-harperchen1110@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2099862vqo;
Tue, 28 Mar 2023 03:11:33 -0700 (PDT)
X-Google-Smtp-Source:
AKy350YeHIYs8ZaPXYFp0hZvQv3uAV/8VXejpk0EOvews+GxGw8OymXLNvU80Tj8jfIThmrnZXJv
X-Received: by 2002:a17:906:3193:b0:932:1af9:7386 with SMTP id
19-20020a170906319300b009321af97386mr14731073ejy.27.1679998293040;
Tue, 28 Mar 2023 03:11:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679998293; cv=none;
d=google.com; s=arc-20160816;
b=M2popxTE03cRvTJuaof6Fo30eBqL3605+THxXMPqthVSsr7etTP+FoWA0Ebcc58MNx
+aZ0Uf15QOsQuFD95kXe6vZPERdqThPCfNkez4T5G1o6c8i7EHV3VoSyz/AWmKtGM+ro
jHkqHmDq7C4k4gE3PD7RRB0jX6Ft4vOVDy9cdNwK49hCRFFIYoQPMAQsgG0XusrsgzS4
dN3OId0CqFLACR+rRyczmbwMAWew12dpWsdO8QFM3uvpQVvtJVrxFVR8gmrFacCDTVQV
ztq6s0vBqcCYIw5X3T76ww4Pid1JsvYT7atH0Dept3NWanlvklpQr5tNEnwUZUnyHbnT
juKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=vSN9UmMWW8LKANBpEhn1gTCwWjUOTgkE62IMKkjwCg0=;
b=zKs5aA/FhCQKlGSk6W1+mIbl+Z2BcT0toL0WIMJU7lQLe8lyUc+n7g+U2yr62tzHU4
Ec7iH/qrv1fxxrtvFo9oW5v0yFjJ3qZO8TH078L7flpPkVo+6RgVKq2SCNihFh2toh7O
0dVGjCcAsOEYulI2JEMo21CmBK5E1usMdJoBRGSPkNjxA114UOgMNU8yRNrHbMCYKJMB
qFJcCh2sehv4BwcyIVkZ5EVBTkm/dDCgpb5tKKevcz6qbla+ZZ98/lMu5457QqC21d/I
EdYGyn26J+BsqSuQZ6+r1Y4Z+FpREDrCPmz2K6PEbTM+6djzCOb4LLpbs7w/LwIHcHCW
IxMA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=VKawVm2n;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
i20-20020a17090685d400b008b17e994edbsi27154959ejy.543.2023.03.28.03.11.09;
Tue, 28 Mar 2023 03:11:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=VKawVm2n;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230413AbjC1KKe (ORCPT <rfc822;kartikey406@gmail.com>
+ 99 others); Tue, 28 Mar 2023 06:10:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39324 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232868AbjC1KKW (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 28 Mar 2023 06:10:22 -0400
Received: from mail-yw1-x1135.google.com (mail-yw1-x1135.google.com
[IPv6:2607:f8b0:4864:20::1135])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 88A4E35B6;
Tue, 28 Mar 2023 03:10:00 -0700 (PDT)
Received: by mail-yw1-x1135.google.com with SMTP id
00721157ae682-544787916d9so219553797b3.13;
Tue, 28 Mar 2023 03:10:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112; t=1679998198;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=vSN9UmMWW8LKANBpEhn1gTCwWjUOTgkE62IMKkjwCg0=;
b=VKawVm2n11k73FEhif7iJNjBvNdUJqFH/tZb8L3hni41QNgUr986enklitCdxEr1H9
aglfr6ut9ISDMsImSU08X7AM/5JLuloPNB8dEZdJmILvc5I72/Wxyi7Svsewu//vqRRr
YaxARdrzpkaVjdHRaOAysmfO8Z8u0b6pSbndKxfrbgIRbaO3OpuaQsneMGE7Bky/iHY3
8aPKg/cDmgN/Ekctjkg9R8E8VAvTalNt7rtTqexMepUA/NTbg5xD0JJ9Sgu8ppbcWC2w
7X6F7RGsmKlPec4O66T7QZeyivKqb0ScNt6J1gl+rwhz0Gv3nIQ4qDDjgyfUjwEm1OM2
y7Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112; t=1679998198;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=vSN9UmMWW8LKANBpEhn1gTCwWjUOTgkE62IMKkjwCg0=;
b=WAyqhQdmGLxC5hUHpjlUMfJWjOKP6gRtwY7S6OegEaDOwF2SIQtZDRqGhGorPu+hi5
thOpTcFkk7fFcad4z9Xw4XznrMqPCeyzpdSEsI88SAn4Rq2KnwCB4m1m4+ffcDx52sSb
3Xcfd2eS7WCHh1Gv8f+D4Xi1s0nTD2Roxa1iYxN4ebdf4yKWz/ejXP2KJEqU+aDAlEkD
ggctRulL5gFneuYYaL5TiKr66dZKURzILXOk7LdHiuGY02sSbuNT1/HS24hJlqVVYjqM
dHDxhxgYFItBVlpMyhfxK85Ldbo98gAIJgj50fLgeaWEwPFS0CJUQMDltHxqRtsJJk6g
NT+w==
X-Gm-Message-State: AAQBX9cvQK5Bj0WrcIAmmD0G12XgcEshTC4JemOFGbFZZ05jXDMf1SIY
4K3mnXLOFvIIKFfPXUipMgw=
X-Received: by 2002:a0d:e803:0:b0:541:826c:2101 with SMTP id
r3-20020a0de803000000b00541826c2101mr15910680ywe.12.1679998198233;
Tue, 28 Mar 2023 03:09:58 -0700 (PDT)
Received: from chcpu13.cse.ust.hk (191host119.mobilenet.cse.ust.hk.
[143.89.191.119])
by smtp.gmail.com with ESMTPSA id
cp27-20020a05690c0e1b00b00545a08184aasm2339676ywb.58.2023.03.28.03.09.55
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 28 Mar 2023 03:09:57 -0700 (PDT)
From: Wei Chen <harperchen1110@gmail.com>
To: tiffany.lin@mediatek.com
Cc: andrew-ct.chen@mediatek.com, yunfei.dong@mediatek.com,
mchehab@kernel.org, matthias.bgg@gmail.com,
angelogioacchino.delregno@collabora.com,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
Wei Chen <harperchen1110@gmail.com>
Subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in
decoder queue_setup
Date: Tue, 28 Mar 2023 10:09:51 +0000
Message-Id: <20230328100951.536955-1-harperchen1110@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1761605890211493967?=
X-GMAIL-MSGID: =?utf-8?q?1761605890211493967?=
|
| Series |
media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
|
|
Commit Message
Wei Chen
March 28, 2023, 10:09 a.m. UTC
variable *nplanes is provided by user via system call argument. The
possible value of q_data->fmt->num_planes is 1-3, while the value
of *nplanes can be 1-8. The array access by index i can cause array
out-of-bounds.
Fix this bug by checking *nplanes against the array size.
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
---
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 +++++++
1 file changed, 7 insertions(+)
Comments
Hi Wei,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on media-tree/master]
[also build test WARNING on linus/master v6.3-rc4 next-20230328]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
base: git://linuxtv.org/media_tree.git master
patch link: https://lore.kernel.org/r/20230328100951.536955-1-harperchen1110%40gmail.com
patch subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
config: riscv-allmodconfig (https://download.01.org/0day-ci/archive/20230328/202303282152.CXxK3RNH-lkp@intel.com/config)
compiler: riscv64-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
git checkout caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=riscv olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=riscv SHELL=/bin/bash drivers/media/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303282152.CXxK3RNH-lkp@intel.com/
All warnings (new ones prefixed by >>):
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c: In function 'vb2ops_vdec_queue_setup':
>> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:756:20: warning: suggest explicit braces to avoid ambiguous 'else' [-Wdangling-else]
756 | if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
| ^
vim +/else +756 drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
739
740 int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers,
741 unsigned int *nplanes, unsigned int sizes[],
742 struct device *alloc_devs[])
743 {
744 struct mtk_vcodec_ctx *ctx = vb2_get_drv_priv(vq);
745 struct mtk_q_data *q_data;
746 unsigned int i;
747
748 q_data = mtk_vdec_get_q_data(ctx, vq->type);
749
750 if (q_data == NULL) {
751 mtk_v4l2_err("vq->type=%d err\n", vq->type);
752 return -EINVAL;
753 }
754
755 if (*nplanes) {
> 756 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
757 if (*nplanes != q_data->fmt->num_planes)
758 return -EINVAL;
759 else
760 if (*nplanes != 1)
761 return -EINVAL;
762
763 for (i = 0; i < *nplanes; i++) {
764 if (sizes[i] < q_data->sizeimage[i])
765 return -EINVAL;
766 }
767 } else {
768 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
769 *nplanes = q_data->fmt->num_planes;
770 else
771 *nplanes = 1;
772
773 for (i = 0; i < *nplanes; i++)
774 sizes[i] = q_data->sizeimage[i];
775 }
776
777 mtk_v4l2_debug(1,
778 "[%d]\t type = %d, get %d plane(s), %d buffer(s) of size 0x%x 0x%x ",
779 ctx->id, vq->type, *nplanes, *nbuffers,
780 sizes[0], sizes[1]);
781
782 return 0;
783 }
784
Hi Wei,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on media-tree/master]
[also build test WARNING on linus/master v6.3-rc4 next-20230328]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
base: git://linuxtv.org/media_tree.git master
patch link: https://lore.kernel.org/r/20230328100951.536955-1-harperchen1110%40gmail.com
patch subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
config: s390-randconfig-r044-20230327 (https://download.01.org/0day-ci/archive/20230329/202303290153.AP9Oe2GL-lkp@intel.com/config)
compiler: clang version 17.0.0 (https://github.com/llvm/llvm-project 67409911353323ca5edf2049ef0df54132fa1ca7)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install s390 cross compiling tool for clang build
# apt-get install binutils-s390x-linux-gnu
# https://github.com/intel-lab-lkp/linux/commit/caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
git checkout caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=s390 olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=s390 SHELL=/bin/bash drivers/media/platform/mediatek/vcodec/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303290153.AP9Oe2GL-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:9:
In file included from include/media/v4l2-mem2mem.h:16:
In file included from include/media/videobuf2-v4l2.h:16:
In file included from include/media/videobuf2-core.h:18:
In file included from include/linux/dma-buf.h:16:
In file included from include/linux/iosys-map.h:10:
In file included from include/linux/io.h:13:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __raw_readb(PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu'
#define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x))
^
include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16'
#define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
^
In file included from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:9:
In file included from include/media/v4l2-mem2mem.h:16:
In file included from include/media/videobuf2-v4l2.h:16:
In file included from include/media/videobuf2-core.h:18:
In file included from include/linux/dma-buf.h:16:
In file included from include/linux/iosys-map.h:10:
In file included from include/linux/io.h:13:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu'
#define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x))
^
include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32'
#define __swab32(x) (__u32)__builtin_bswap32((__u32)(x))
^
In file included from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:9:
In file included from include/media/v4l2-mem2mem.h:16:
In file included from include/media/videobuf2-v4l2.h:16:
In file included from include/media/videobuf2-core.h:18:
In file included from include/linux/dma-buf.h:16:
In file included from include/linux/iosys-map.h:10:
In file included from include/linux/io.h:13:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writeb(value, PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:692:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsb(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:700:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsw(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:708:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsl(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:717:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesb(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:726:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesw(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:735:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesl(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
>> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:759:3: warning: add explicit braces to avoid dangling else [-Wdangling-else]
else
^
13 warnings generated.
vim +759 drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
739
740 int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers,
741 unsigned int *nplanes, unsigned int sizes[],
742 struct device *alloc_devs[])
743 {
744 struct mtk_vcodec_ctx *ctx = vb2_get_drv_priv(vq);
745 struct mtk_q_data *q_data;
746 unsigned int i;
747
748 q_data = mtk_vdec_get_q_data(ctx, vq->type);
749
750 if (q_data == NULL) {
751 mtk_v4l2_err("vq->type=%d err\n", vq->type);
752 return -EINVAL;
753 }
754
755 if (*nplanes) {
756 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
757 if (*nplanes != q_data->fmt->num_planes)
758 return -EINVAL;
> 759 else
760 if (*nplanes != 1)
761 return -EINVAL;
762
763 for (i = 0; i < *nplanes; i++) {
764 if (sizes[i] < q_data->sizeimage[i])
765 return -EINVAL;
766 }
767 } else {
768 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
769 *nplanes = q_data->fmt->num_planes;
770 else
771 *nplanes = 1;
772
773 for (i = 0; i < *nplanes; i++)
774 sizes[i] = q_data->sizeimage[i];
775 }
776
777 mtk_v4l2_debug(1,
778 "[%d]\t type = %d, get %d plane(s), %d buffer(s) of size 0x%x 0x%x ",
779 ctx->id, vq->type, *nplanes, *nbuffers,
780 sizes[0], sizes[1]);
781
782 return 0;
783 }
784
Hi Wei,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on media-tree/master]
[also build test WARNING on linus/master v6.3-rc4 next-20230328]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
base: git://linuxtv.org/media_tree.git master
patch link: https://lore.kernel.org/r/20230328100951.536955-1-harperchen1110%40gmail.com
patch subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
config: csky-randconfig-r013-20230327 (https://download.01.org/0day-ci/archive/20230329/202303290137.F9lOyCT4-lkp@intel.com/config)
compiler: csky-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
git checkout caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=csky olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=csky SHELL=/bin/bash drivers/media/platform/mediatek/vcodec/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303290137.F9lOyCT4-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from include/asm-generic/div64.h:27,
from ./arch/csky/include/generated/asm/div64.h:1,
from include/linux/math.h:6,
from include/linux/math64.h:6,
from include/linux/time.h:6,
from include/linux/videodev2.h:59,
from include/media/v4l2-event.h:16,
from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:8:
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c: In function 'vb2ops_vdec_queue_setup':
>> include/linux/compiler.h:56:26: warning: suggest explicit braces to avoid ambiguous 'else' [-Wdangling-else]
56 | #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
| ^
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:756:17: note: in expansion of macro 'if'
756 | if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
| ^~
vim +/else +56 include/linux/compiler.h
2bcd521a684cc9 Steven Rostedt 2008-11-21 50
2bcd521a684cc9 Steven Rostedt 2008-11-21 51 #ifdef CONFIG_PROFILE_ALL_BRANCHES
2bcd521a684cc9 Steven Rostedt 2008-11-21 52 /*
2bcd521a684cc9 Steven Rostedt 2008-11-21 53 * "Define 'is'", Bill Clinton
2bcd521a684cc9 Steven Rostedt 2008-11-21 54 * "Define 'if'", Steven Rostedt
2bcd521a684cc9 Steven Rostedt 2008-11-21 55 */
a15fd609ad53a6 Linus Torvalds 2019-03-20 @56 #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
a15fd609ad53a6 Linus Torvalds 2019-03-20 57
Hi, Le mardi 28 mars 2023 à 10:09 +0000, Wei Chen a écrit : > variable *nplanes is provided by user via system call argument. The > possible value of q_data->fmt->num_planes is 1-3, while the value > of *nplanes can be 1-8. The array access by index i can cause array > out-of-bounds. > > Fix this bug by checking *nplanes against the array size. > > Signed-off-by: Wei Chen <harperchen1110@gmail.com> > --- > drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c > index 641f533c417f..cae34cc7c807 100644 > --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c > +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c > @@ -753,6 +753,13 @@ int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers, > } > > if (*nplanes) { > + if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) > + if (*nplanes != q_data->fmt->num_planes) > + return -EINVAL; > + else > + if (*nplanes != 1) > + return -EINVAL; > + > for (i = 0; i < *nplanes; i++) { > if (sizes[i] < q_data->sizeimage[i]) > return -EINVAL; A bit of context, *nplanes is non zero only when called from VIDIOC_CREATE_BUFS. I think this highlights a bigger problem around the format in VIDIOC_CREATE_BUFS. The format should be validated through TRY_FMT in some ways, notably to apply the HW required alignment, but also to avoid having to validate that lower in the stack. Nicolas
diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c index 641f533c417f..cae34cc7c807 100644 --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c @@ -753,6 +753,13 @@ int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers, } if (*nplanes) { + if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) + if (*nplanes != q_data->fmt->num_planes) + return -EINVAL; + else + if (*nplanes != 1) + return -EINVAL; + for (i = 0; i < *nplanes; i++) { if (sizes[i] < q_data->sizeimage[i]) return -EINVAL;