| Message ID | 1691634304-2158-3-git-send-email-quic_vgarodia@quicinc.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp170693vqi;
Wed, 9 Aug 2023 21:06:01 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IETJ3hV+a/ryoYRrbZGgrRPZosEDwyZleF1ZCM3xjvCI3TBFn/9G6CRlFWF7jbFaPLU1Zco
X-Received: by 2002:a05:6a00:4509:b0:687:ffac:c62e with SMTP id
cw9-20020a056a00450900b00687ffacc62emr1141452pfb.3.1691640361014;
Wed, 09 Aug 2023 21:06:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1691640360; cv=none;
d=google.com; s=arc-20160816;
b=yHW2JGoRBtPhzVphPgeKQqYtKTNvxSIKYJssFJhys8ADqgU8MPEbC3lM1G7T6AqhGQ
9ietBbfWQARthKFQ1zCV7y02NCMzC8G1o20UP/bSlKzx3gxEM6RzhANIPB6A7mmNW80v
zexpKZVxc/W8q7TunMneCFKE0q8lz8AtvEtU/hk/l0swfGvD9zHciZKqMCvVwtfjKuZ6
NuxBYTdjUIzcFlqTwQKSUkdgGgj38yaF94g/GyVGPw11dJbaOKozS+YbbUYu2Dw+pMGF
A1D8dJ0fR+uB773BMfn1TmbsOXCdupDziY5H+iGcOVshiOwwRQY42f7xIOGB/nt/Rnpc
xJ2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:references:in-reply-to:message-id
:date:subject:cc:to:from:dkim-signature;
bh=2oTMgX4OQS2lmRYb6mhrixFvv6JGwYf/kL8q1sU/r9M=;
fh=GcndwOMBf1bnpW+bW+jgpNWzVvxAZNEz+Wt3jUkG7qY=;
b=ZqIk8KPLLiVF7PG9A7AzAdXC3nMnNx+VZP8MV0SkDIVAK+xbo9RnCqKLPRiIRkTap7
MbBhWXcDomB1zFbWq3hOTH8v82FrXcNgaUX+YuQwk68PdgB15UNaScoubJG8HZD3YHiU
OEciGaDEOxpQsDKrEMKe9CO+/WtcOcJ3rkEp1y2Zgh5e2eloyYB8I1z2ElyIZCAa/wN8
kK79J8l5tl9FA9Z8r9q1JPyKOBjnhwuoRfxRNgpTv4fipuzpxE8zQB5vCP7yfZKxx8+E
KgyJi1cRay3IuaNy+J73J37r/OAcTNONCld/7HRiI1cZK+45vMfjVD7zb3j2JRJjCN1e
z78g==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=Wpyudwoj;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
s18-20020a635252000000b005639473079csi695551pgl.379.2023.08.09.21.05.48;
Wed, 09 Aug 2023 21:06:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=Wpyudwoj;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232373AbjHJC0L (ORCPT <rfc822;craechal@gmail.com> + 99 others);
Wed, 9 Aug 2023 22:26:11 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40286 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232324AbjHJC0K (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 9 Aug 2023 22:26:10 -0400
Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com
[205.220.168.131])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C26D2211B;
Wed, 9 Aug 2023 19:26:04 -0700 (PDT)
Received: from pps.filterd (m0279866.ppops.net [127.0.0.1])
by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
37A1iIhE005236;
Thu, 10 Aug 2023 02:25:50 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com;
h=from : to : cc :
subject : date : message-id : in-reply-to : references : mime-version :
content-type; s=qcppdkim1;
bh=2oTMgX4OQS2lmRYb6mhrixFvv6JGwYf/kL8q1sU/r9M=;
b=Wpyudwoj3DKKKu7qauqQonaQ36U2rMNj0ghEvAUx7YcoYkk0i3ok0eOrKrnalcO33D6G
Y+CwmkNqx9TEN6zurOHPehHohxp+25pLTUQvdjw2FPbNDzaL3XODuvqkh5s6OCkUsCfs
G6xdvKIY1PQNlcxMokU/npS1prMPelf0TqyuHPnWXxJYvplDSZxIG19AXo81F9iCzAFE
11NI194qquQVsQ+a0IUZeS8kXmObxwZYl8RAutI+DiQaY40n+LBfTKNMu3rn1OicOSQp
RPKlG7LZzhu0dUQ9M63uOdDpVvF4rM9FbIX0r/iNFHol8ADrvCKuzRz3OFNcj9ihH3CM WA==
Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com
[199.106.103.254])
by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3sch7crgxv-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Thu, 10 Aug 2023 02:25:50 +0000
Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com
[10.52.223.231])
by NASANPPMTA05.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id
37A2PnCQ019397
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Thu, 10 Aug 2023 02:25:49 GMT
Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by
nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.2.1118.30; Wed, 9 Aug 2023 19:25:45 -0700
From: Vikash Garodia <quic_vgarodia@quicinc.com>
To: <stanimir.k.varbanov@gmail.com>, <bryan.odonoghue@linaro.org>,
<agross@kernel.org>, <andersson@kernel.org>,
<konrad.dybcio@linaro.org>, <mchehab@kernel.org>,
<hans.verkuil@cisco.com>, <tfiga@chromium.org>
CC: <linux-media@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <stable@vger.kernel.org>,
Vikash Garodia <quic_vgarodia@quicinc.com>
Subject: [PATCH v2 2/4] venus: hfi: fix the check to handle session buffer
requirement
Date: Thu, 10 Aug 2023 07:55:02 +0530
Message-ID: <1691634304-2158-3-git-send-email-quic_vgarodia@quicinc.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1691634304-2158-1-git-send-email-quic_vgarodia@quicinc.com>
References: <1691634304-2158-1-git-send-email-quic_vgarodia@quicinc.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
nasanex01a.na.qualcomm.com (10.52.223.231)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
signatures=585085
X-Proofpoint-ORIG-GUID: 1xTf4V96M7poeYWwhndFerb0Ss9mWa4S
X-Proofpoint-GUID: 1xTf4V96M7poeYWwhndFerb0Ss9mWa4S
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26
definitions=2023-08-10_01,2023-08-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
phishscore=0 spamscore=0
priorityscore=1501 lowpriorityscore=0 suspectscore=0 impostorscore=0
mlxlogscore=999 mlxscore=0 adultscore=0 malwarescore=0 clxscore=1015
bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.12.0-2306200000 definitions=main-2308100019
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1773813483335744017
X-GMAIL-MSGID: 1773813483335744017
|
| Series |
Venus driver fixes to avoid possible OOB accesses
|
|
Commit Message
Vikash Garodia
Aug. 10, 2023, 2:25 a.m. UTC
Buffer requirement, for different buffer type, comes from video firmware.
While copying these requirements, there is an OOB possibility when the
payload from firmware is more than expected size. Fix the check to avoid
the OOB possibility.
Cc: stable@vger.kernel.org
Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
Reviewed-by: Nathan Hebert <nhebert@chromium.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
---
drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On 10/08/2023 03:25, Vikash Garodia wrote: > Buffer requirement, for different buffer type, comes from video firmware. > While copying these requirements, there is an OOB possibility when the > payload from firmware is more than expected size. Fix the check to avoid > the OOB possibility. > > Cc: stable@vger.kernel.org > Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") > Reviewed-by: Nathan Hebert <nhebert@chromium.org> > Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> > --- > drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c > index 3d5dadf..3e85bd8 100644 > --- a/drivers/media/platform/qcom/venus/hfi_msgs.c > +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c > @@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt, > memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); > idx++; > > - if (idx > HFI_BUFFER_TYPE_MAX) > + if (idx >= HFI_BUFFER_TYPE_MAX) > return HFI_ERR_SESSION_INVALID_PARAMETER; > > req_bytes -= sizeof(struct hfi_buffer_requirements); Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 3d5dadf..3e85bd8 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt, memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); idx++; - if (idx > HFI_BUFFER_TYPE_MAX) + if (idx >= HFI_BUFFER_TYPE_MAX) return HFI_ERR_SESSION_INVALID_PARAMETER; req_bytes -= sizeof(struct hfi_buffer_requirements);