From patchwork Thu Jul 27 04:34:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vikash Garodia X-Patchwork-Id: 126629 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a985:0:b0:3e4:2afc:c1 with SMTP id t5csp851020vqo; Wed, 26 Jul 2023 22:00:54 -0700 (PDT) X-Google-Smtp-Source: APBJJlH97J9v5EjEAlQ3LB8Q8pEaDCscy40ML62lqcIAtIVVAb4TwwvjmidqovXMfg6XBF1UoX9l X-Received: by 2002:a17:906:cc4f:b0:99b:4210:cc75 with SMTP id mm15-20020a170906cc4f00b0099b4210cc75mr914446ejb.40.1690434053844; Wed, 26 Jul 2023 22:00:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690434053; cv=none; d=google.com; s=arc-20160816; b=mBcWqPOY46BFExJx2WUgrlMvP+JjDMDVU5E0NqWeFnzcPFJPnT73EkL8US52yqGcNg m6enGCc68mIEjG5ke/KrA8eOZblKpUcJvFOmid16D6FCQx2MFzgGvkD4QjiSZAVi7mM6 rga5KQFXdZ1pX+x0MkP4IiKYYFY5HNOit6617UD64bl0k/OMw2D+1rzb7Bd9Fm7hB6yU tOsaJB7bUXmJu2RJZhEfmLiKdmGA3mwNJaKR15l0zcxM2XbAu8MXteU87w4y5Kz3ljTv 4r4XRcfzHznHKd5qjylQtUsp4T09N/jmsfC1YVm6uWJgfiwFSKAwvRkIR3Xs+LjEWr+x 7XHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=b9JkBU4ajOHvGCySu6FDWdEm1FvpwdBuAZcDijsmdWU=; fh=GcndwOMBf1bnpW+bW+jgpNWzVvxAZNEz+Wt3jUkG7qY=; b=ZelmuIC4xW1u3IFeLIsv19qNw3BSIyRbcE4R6wJXH/VvPox3zVRtqeZTLHK8FwwJmg tCfDHTx0HoseNt+tEQzZxg05yN4AfM0cAl2UR41rKbLonVeHL3B2rt7IjoWW9GNyuIFt zRk5CahdDJu9TTEdAHBmqq4ZGSKAM0M3F/DIa6CihdAkh3n1u+eY5nwAfRFZOehv++Cp R7avUA7f/hor3pKglhvERLTCMmXpA0GQLBL4BCNVnNcoCBWdZB2cG3epn+F+8jLfZLtX Eu4n6vxl2Cz4A8PDStM+z/h7Fx8UR7CrhkAyvgN+kpxDDEH11M6Wo85ofVzgUVruQE4f hWUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b="hp8/gnGc"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id uz16-20020a170907119000b00992de9a0240si405602ejb.220.2023.07.26.22.00.27; Wed, 26 Jul 2023 22:00:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b="hp8/gnGc"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231395AbjG0EfR (ORCPT + 99 others); Thu, 27 Jul 2023 00:35:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231361AbjG0EfP (ORCPT ); Thu, 27 Jul 2023 00:35:15 -0400 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D99BE271C; Wed, 26 Jul 2023 21:35:13 -0700 (PDT) Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36R2Uk7N015046; Thu, 27 Jul 2023 04:35:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=qcppdkim1; bh=b9JkBU4ajOHvGCySu6FDWdEm1FvpwdBuAZcDijsmdWU=; b=hp8/gnGctnBJCaUzagUp2MwlSIz+T5VTdvtqcjBGyIfexxU3jzmOpJxPWQZkVsVZt+Vj lX7C6/x+512EB1C8lVrCgiaxf/Lvns9NHMV6a9kvL5Ok9jhW9EJe7U6E0WYAz7hkGxXY 9XSMMYnAFnMigGRPH8osL5EyveKSEOw6orOUo2yGetN4U53pN3J6DhBMpvZVccZy0uZN dam3EhcNYq9BMXtXowmzGCmaDjS1Lzz/ehE7R09vCW/K9oUx8EfLlmt7QzgFwyU0mt2p aj6I3X5n+DJa9mvlCtyY/nPv+ko+jTtDX3YpRKcJ59bXojapQ9eJiF79YGxC5VUgJmZL 1Q== Received: from nasanppmta03.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s37g0h17b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:09 +0000 Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA03.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 36R4Z8Ap024865 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:08 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Wed, 26 Jul 2023 21:35:04 -0700 From: Vikash Garodia To: , , , , , , , CC: , , , , Vikash Garodia Subject: [PATCH 1/4] venus: hfi: add checks to perform sanity on queue pointers Date: Thu, 27 Jul 2023 10:04:26 +0530 Message-ID: <1690432469-14803-2-git-send-email-quic_vgarodia@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> References: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: OjS1bhixCOrlUzg_0rosxVGwVdyXt7ZG X-Proofpoint-ORIG-GUID: OjS1bhixCOrlUzg_0rosxVGwVdyXt7ZG X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-26_08,2023-07-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 suspectscore=0 spamscore=0 impostorscore=0 mlxlogscore=688 phishscore=0 lowpriorityscore=0 adultscore=0 priorityscore=1501 clxscore=1015 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307270040 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772548578710434875 X-GMAIL-MSGID: 1772548578710434875 Read and write pointers are used to track the packet index in the memory shared between video driver and firmware. There is a possibility of OOB access if the read or write pointer goes beyond the queue memory size. Add checks for the read and write pointer to avoid OOB access. Cc: stable@vger.kernel.org Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_venus.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c index f0b4638..dc228c4 100644 --- a/drivers/media/platform/qcom/venus/hfi_venus.c +++ b/drivers/media/platform/qcom/venus/hfi_venus.c @@ -206,6 +206,10 @@ static int venus_write_queue(struct venus_hfi_device *hdev, new_wr_idx = wr_idx + dwords; wr_ptr = (u32 *)(queue->qmem.kva + (wr_idx << 2)); + + if (wr_ptr < (u32 *)queue->qmem.kva || wr_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size)) + return -EINVAL; + if (new_wr_idx < qsize) { memcpy(wr_ptr, packet, dwords << 2); } else { @@ -273,6 +277,10 @@ static int venus_read_queue(struct venus_hfi_device *hdev, } rd_ptr = (u32 *)(queue->qmem.kva + (rd_idx << 2)); + + if (rd_ptr < (u32 *)queue->qmem.kva || rd_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size)) + return -EINVAL; + dwords = *rd_ptr >> 2; if (!dwords) return -EINVAL; From patchwork Thu Jul 27 04:34:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vikash Garodia X-Patchwork-Id: 126633 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a985:0:b0:3e4:2afc:c1 with SMTP id t5csp863048vqo; Wed, 26 Jul 2023 22:28:10 -0700 (PDT) X-Google-Smtp-Source: APBJJlGfIqMu5XD29IJGBaEQ/mqjTuKzuZS3o8j2+cPL6rNPz9ZOEXGeGOC43MkdrfXHr0idwLoc X-Received: by 2002:a81:7c46:0:b0:583:f658:5dd with SMTP id x67-20020a817c46000000b00583f65805ddmr4103100ywc.40.1690435690002; Wed, 26 Jul 2023 22:28:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690435689; cv=none; d=google.com; s=arc-20160816; b=gx2ZWYz5ZXYU7cXT84Jwem+P3C2U0yLJ2bYP2xy6R7clemviLQPHSSBmYp5Pe/xw3h CcqSLNA4CDbJ561l+ixsro07pjM2ktZMlkKiVafg9CVbZ1LyHY/xUljqxKLbgtzaZq4F rtE4J6T2lwQa4JqA5PbvnvANTEvHRDqElECnD43oGhxS+rEXn76XlwEmdItMkb5EPnDy 0ulBPt1jittg+IrmGeSSrfb+tvzOqi4XKRRCky57w2WjHWppm9vlCwfROYHfhrn4x6eH 5Z4EWhkGoZ8e3MhjYWlV0zUYKND5eJBVkWHGcD8o5iMZvdJScT6+ztK1J82UzlnHyPRy UCLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=TugPb8tl9hbltjc7Ww0SHgYRqILvgjkw9uxYmp0Uq7Q=; fh=GcndwOMBf1bnpW+bW+jgpNWzVvxAZNEz+Wt3jUkG7qY=; b=ydHSC1GjZ6e3DJ9XYuff4Zp705VuEtloQwxJ4x8nrrfz060c9GwTUG4KAQZNEWJYR9 2HaEZ0Cpn/Qh88uGnhbO5jRKJ6qpUPKQ1Ead7iOBywRprSpKSLdwzz159qYfZ83ZBn4N Yzr3kmlzeNgqc+tCBWdw1awscr9mngOP2qzLvXYuHpe1aBkOn/wxAIoY5b2yW0MjLUyM sTSarQiG6QTOEQCnHksDy9sdZIYnJp1iHQcVcvg+bc5eHtLnZ/NWdLKHhomZdWhmYSLJ OBZm6+hrE9TNSo8lHurJdFpoHtggKC1k1eX/sT/NYbaoqB8hTZSmvi1A8yOJEARM2iAj gYmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=MDo51uIF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a4-20020a17090ad80400b00268067839c9si737307pjv.106.2023.07.26.22.27.56; Wed, 26 Jul 2023 22:28:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=MDo51uIF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231472AbjG0Ef3 (ORCPT + 99 others); Thu, 27 Jul 2023 00:35:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231434AbjG0EfY (ORCPT ); Thu, 27 Jul 2023 00:35:24 -0400 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B0C76273C; Wed, 26 Jul 2023 21:35:20 -0700 (PDT) Received: from pps.filterd (m0279864.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36R3V0jd016054; Thu, 27 Jul 2023 04:35:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=qcppdkim1; bh=TugPb8tl9hbltjc7Ww0SHgYRqILvgjkw9uxYmp0Uq7Q=; b=MDo51uIFfI3fX9en1fAijIkp3Pv1Lixmo/hf1KtNdUQthWxiYVl17kOqf+PxUYNxxJJo IcH7kbYXShS8oKjqnHj/rbsPfm8QBjjPSCfYjeiA1tHnsXQ87IwPQj5Cu0EcAwn5q7Le Iiiz7/iOc3MAAuE+MqUf4HdG1wjvOMaEUos6Fw5SEFVspb7qsAp3LZwFGbvgFLdaMpd4 0f2yad5xxp7dC87Ss6rIyAcnFrnBCeVNjnhXcYhRUp37gsorpxKPmiF9FcKCzFBs2FSQ VGopKHjm0uTejANgxRa6qkdA0TJt6TeFmOo04ueABs4fc4WNAMA55+zYu2y2WUqejw8k 3w== Received: from nasanppmta02.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s3f580825-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:14 +0000 Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 36R4ZDUS025350 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:13 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Wed, 26 Jul 2023 21:35:09 -0700 From: Vikash Garodia To: , , , , , , , CC: , , , , Vikash Garodia Subject: [PATCH 2/4] venus: hfi: fix the check to handle session buffer requirement Date: Thu, 27 Jul 2023 10:04:27 +0530 Message-ID: <1690432469-14803-3-git-send-email-quic_vgarodia@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> References: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: b-hCZTY-WtDIXt4maahSGWkjvnuP0rRk X-Proofpoint-ORIG-GUID: b-hCZTY-WtDIXt4maahSGWkjvnuP0rRk X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-26_08,2023-07-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=982 mlxscore=0 spamscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 suspectscore=0 phishscore=0 clxscore=1015 adultscore=0 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307270041 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772550293540494610 X-GMAIL-MSGID: 1772550293540494610 Buffer requirement, for different buffer type, comes from video firmware. While copying these requirements, there is an OOB possibility when the payload from firmware is more than expected size. Fix the check to avoid the OOB possibility. Cc: stable@vger.kernel.org Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Signed-off-by: Vikash Garodia Reviewed-by: Nathan Hebert --- drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 3d5dadf..3e85bd8 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt, memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); idx++; - if (idx > HFI_BUFFER_TYPE_MAX) + if (idx >= HFI_BUFFER_TYPE_MAX) return HFI_ERR_SESSION_INVALID_PARAMETER; req_bytes -= sizeof(struct hfi_buffer_requirements); From patchwork Thu Jul 27 04:34:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vikash Garodia X-Patchwork-Id: 126631 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a985:0:b0:3e4:2afc:c1 with SMTP id t5csp860338vqo; Wed, 26 Jul 2023 22:21:09 -0700 (PDT) X-Google-Smtp-Source: APBJJlFW1TnQhdei3p+PTspPCJAy5vDMQvRGlcUefzbKWEv/WAoPkB68Gaap3pBTFGpKLq8gW6xr X-Received: by 2002:a05:6808:178d:b0:3a4:2a13:71ca with SMTP id bg13-20020a056808178d00b003a42a1371camr2599328oib.16.1690435269605; Wed, 26 Jul 2023 22:21:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690435269; cv=none; d=google.com; s=arc-20160816; b=lJ87l+w5RJghHbxuMCO5Jny3keoUTXHtW/Ygqn+bxAdHwK66kryqzuq+7XI+mSOrQx d4bUAQYhW++SOliyJeyJyPxurbWomZ8r/AB8a5oRUbc7wb5bp5XUePK/IcUQfWpJDJpU +o9tjVptfsvBoqEh+wF+yaJJ+kenININXoUw8XZzFnsY/kUyorPeeJDvPiJ893U7y/q+ x737s+LEjpaH83b6zyxiqI91rWCVvvaJbGWaYH22sAUMSt3wLz8rLT60cRvuZjVWIbSn Pz0JFjncymdOtQeORTamFaQtSP3k9e7qHdl5TyolifGL1k0+bx33IdEyzLKhxMgBfDen 4NIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=2wBdUaXhNzrcFd2UG4094FY4Y70VgA2XSY6v7mCJfYw=; fh=GcndwOMBf1bnpW+bW+jgpNWzVvxAZNEz+Wt3jUkG7qY=; b=WPy1G2jn8+8EjPJnGlCPCW4l6m6FuftRu2yzwUJriRZ3nqqHrfovVGgArkuo97B/2Z uS7VsLETdoEgt/RYZ9vF4iYWA3BUhJ5/5vtD9pKeiuH8hBZQTKiox9gt9PLMHb0j5kgw 5hHgtyZIlkUXCUwVZhmbp8xnkOCF439tu7SLesAXbTLYxYY6rQ4vbBlMYVJDLaSIC5DK /3fh3Y/rIXNKtWvY1HCt+aH1oWs3pbzRDnFSnvMF5cTLAUkgnaxSP95nx0vCKFzwt1Nu CLYFgAc8kfBvog5Ga42qYUtR8ke1FgTglvAxke6ob87egkp7op+6ziVYbg0oQ+35J+wv nMTw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=ETbvo18X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c10-20020a63960a000000b0054481da6ee5si591137pge.418.2023.07.26.22.20.56; Wed, 26 Jul 2023 22:21:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=ETbvo18X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231538AbjG0Efs (ORCPT + 99 others); Thu, 27 Jul 2023 00:35:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231494AbjG0Efd (ORCPT ); Thu, 27 Jul 2023 00:35:33 -0400 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C57B6272A; Wed, 26 Jul 2023 21:35:25 -0700 (PDT) Received: from pps.filterd (m0279866.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36R1mRuk022937; Thu, 27 Jul 2023 04:35:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=qcppdkim1; bh=2wBdUaXhNzrcFd2UG4094FY4Y70VgA2XSY6v7mCJfYw=; b=ETbvo18XOzcrZvygoCSbh3yGhcGBHQfYHyHgkiCzxI7BO9vE8pruSaCaf2/x7EjreSnw j8N0o4XpncjpbKOUarH//K0zPP9WIVXE5Y6R5X7CtYzaQQNwrFT3gY0HoKAiiMAgmIPl 8uJo5aBFDTdXH1hMt1LQDg+Gd1R+4xuseQ45uoxeQLlFu+ibDKDdOL8/a46v0H/H6p/o R7UT52S0idoTSC8P1jCjj4MRKXTUi+CMkiEIDCigTf/sjieOaEIqiHw6ybPkfSP+Nnlh GERLeEK4KLw4MzZrZ46zHv2R6KYY0XOvCh5p36q9P6T6n0n0PjGZYsGOLPjez/ENRhvE Iw== Received: from nasanppmta02.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s32jn1ska-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:19 +0000 Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 36R4ZICY025392 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:18 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Wed, 26 Jul 2023 21:35:14 -0700 From: Vikash Garodia To: , , , , , , , CC: , , , , Vikash Garodia Subject: [PATCH 3/4] venus: hfi: add checks to handle capabilities from firmware Date: Thu, 27 Jul 2023 10:04:28 +0530 Message-ID: <1690432469-14803-4-git-send-email-quic_vgarodia@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> References: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: crV8lj0M-rFuQBATbimxwSFN5eCMKp_3 X-Proofpoint-ORIG-GUID: crV8lj0M-rFuQBATbimxwSFN5eCMKp_3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-26_08,2023-07-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1015 suspectscore=0 mlxscore=0 phishscore=0 bulkscore=0 mlxlogscore=999 lowpriorityscore=0 impostorscore=0 adultscore=0 malwarescore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307270041 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772549853114655068 X-GMAIL-MSGID: 1772549853114655068 The hfi parser, parses the capabilities received from venus firmware and copies them to core capabilities. Consider below api, for example, fill_caps - In this api, caps in core structure gets updated with the number of capabilities received in firmware data payload. If the same api is called multiple times, there is a possibility of copying beyond the max allocated size in core caps. Similar possibilities in fill_raw_fmts and fill_profile_level functions. Cc: stable@vger.kernel.org Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_parser.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c index 6cf74b2..ec73cac 100644 --- a/drivers/media/platform/qcom/venus/hfi_parser.c +++ b/drivers/media/platform/qcom/venus/hfi_parser.c @@ -86,6 +86,9 @@ static void fill_profile_level(struct hfi_plat_caps *cap, const void *data, { const struct hfi_profile_level *pl = data; + if (cap->num_pl > HFI_MAX_PROFILE_COUNT) + return; + memcpy(&cap->pl[cap->num_pl], pl, num * sizeof(*pl)); cap->num_pl += num; } @@ -111,6 +114,9 @@ fill_caps(struct hfi_plat_caps *cap, const void *data, unsigned int num) { const struct hfi_capability *caps = data; + if (cap->num_caps > MAX_CAP_ENTRIES) + return; + memcpy(&cap->caps[cap->num_caps], caps, num * sizeof(*caps)); cap->num_caps += num; } @@ -137,6 +143,9 @@ static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts, { const struct raw_formats *formats = fmts; + if (cap->num_fmts > MAX_FMT_ENTRIES) + return; + memcpy(&cap->fmts[cap->num_fmts], formats, num_fmts * sizeof(*formats)); cap->num_fmts += num_fmts; } @@ -159,6 +168,9 @@ parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data) rawfmts[i].buftype = fmt->buffer_type; i++; + if (i >= MAX_FMT_ENTRIES) + return; + if (pinfo->num_planes > MAX_PLANES) break; From patchwork Thu Jul 27 04:34:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vikash Garodia X-Patchwork-Id: 126627 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a985:0:b0:3e4:2afc:c1 with SMTP id t5csp847385vqo; Wed, 26 Jul 2023 21:51:01 -0700 (PDT) X-Google-Smtp-Source: APBJJlFRJTvoiDORricwWR4S1TO3woKyP0E8TaS9evBmCqFqlTAmRWscMCfuYWQhD8LEyxbjmtIr X-Received: by 2002:a05:6a20:441e:b0:133:7ad8:71b5 with SMTP id ce30-20020a056a20441e00b001337ad871b5mr2217704pzb.0.1690433461055; Wed, 26 Jul 2023 21:51:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690433461; cv=none; d=google.com; s=arc-20160816; b=Ye8O2cXcyH8QfZVY8H1ovr99y/juglc/g0xfUsYj9nH1IzXIH8/2ctzaFFDXlC4no2 0O1P5ww6raLocyo0TfXGoc/BrG00AfxnpByOGTVOBNB0ZnXwqswkrEL82ghx7ZkSlZf3 lSHufZiSdN6KmTcN3YZyfOygSsEka/XU+DhYR6+5U4z05GsUOWI1XcID/3gr1O19CnMs F+s0orX7dg6GlYzlfS//gr8Sngfb+CN37teGN5Ub911BS8S1ldH656ryvsg+Zw6KEh5P ysdQIqDoQd5ZcwuutHaorI/Z3WSRm5cC/fNkYSVpvawjMvRrlZEEVy9PSi+p5EqFylOW xbpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=svPmzVI+7eFon/1ocEodK5MNmMYxEhx6SeLGE+hwf/s=; fh=GcndwOMBf1bnpW+bW+jgpNWzVvxAZNEz+Wt3jUkG7qY=; b=Ovo8R6TGXNk4H80Bh2qTm1Lt+CbITloFPVb9ZBfTV4PlDH4c/vcmcRanQ8hSVcA/BS 9qbIprWArKvLuEl7PhmscULsh2PrJc2lzXdWK+WeFc+0RIox3SMYcNIF+Rz3cXtbmJsn Qp9bQdJq2dHLvbcGtvU/m4f2B47tbKjXj2kuoUqTsTXQxYnpGeUYHcmDT8kD4b7mpKeg eI/6r+hgojOfh7Ge+8ST4rqwkREZWBYrPjKspXAax4p4I3/4J4rQ4k+z6M4svqdFXsdO tMiiUhkEqkbL+3VlfW0vUWcbpJ4mnkst8c0W7VKS7hVu/G79dhigyfiBTeNRqzQnJLta 3xxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=nA6M0slj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t12-20020a63444c000000b005639a610f7csi481130pgk.841.2023.07.26.21.50.47; Wed, 26 Jul 2023 21:51:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=nA6M0slj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231572AbjG0Efz (ORCPT + 99 others); Thu, 27 Jul 2023 00:35:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231367AbjG0Efo (ORCPT ); Thu, 27 Jul 2023 00:35:44 -0400 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 921662D4E; Wed, 26 Jul 2023 21:35:31 -0700 (PDT) Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36R3iaVD014865; Thu, 27 Jul 2023 04:35:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=qcppdkim1; bh=svPmzVI+7eFon/1ocEodK5MNmMYxEhx6SeLGE+hwf/s=; b=nA6M0sljBsdXz0X4ZJSUTF7pPeDdcQzJtFrqxnPnNpAb6x1OTVNBz+DoJ7uS3bPgtMSv T55MaxKqL4M1CipQhwB7XhwQ808JCqwxy5tANtKcciu+/bfVeKCuKADDqaChYP71878v BftnKN3cl8h2GWb2S8SM+RUnHAs1qRa4LH0M+eipG1Ghxq8SgDRUEM8iGoKrEeCzH7G8 N0jKOlRusAxwUDX9MjBOu0BmN4P5njuSQoRdGGfYpl237ZSF7bCbZv2tDdgid7AjqlCp VTiwh5bZFPwYW7hX/h4//JzgX4v5wkvOBEAbQ2T4km1U+Lv2BOoNg0zFriW9HwrV665y sQ== Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s336t1ps4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:25 +0000 Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA05.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 36R4ZOCs008336 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:24 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Wed, 26 Jul 2023 21:35:20 -0700 From: Vikash Garodia To: , , , , , , , CC: , , , , Vikash Garodia Subject: [PATCH 4/4] venus: hfi_parser: Add check to keep the number of codecs within range Date: Thu, 27 Jul 2023 10:04:29 +0530 Message-ID: <1690432469-14803-5-git-send-email-quic_vgarodia@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> References: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: DxI9Z8gqI8_QxqUSDGZsv-WpMyzurp5r X-Proofpoint-GUID: DxI9Z8gqI8_QxqUSDGZsv-WpMyzurp5r X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-26_08,2023-07-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 clxscore=1015 mlxlogscore=999 adultscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307270041 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772547956539486496 X-GMAIL-MSGID: 1772547956539486496 Supported codec bitmask is populated from the payload from venus firmware. There is a possible case when all the bits in the codec bitmask is set. In such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized. Now while filling the caps for encoder, it can lead to access the caps array beyong 32 index. Hence leading to OOB write. The fix counts the supported encoder and decoder. If the count is more than max, then it skips accessing the caps. Cc: stable@vger.kernel.org Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_parser.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c index ec73cac..651e215 100644 --- a/drivers/media/platform/qcom/venus/hfi_parser.c +++ b/drivers/media/platform/qcom/venus/hfi_parser.c @@ -14,11 +14,26 @@ typedef void (*func)(struct hfi_plat_caps *cap, const void *data, unsigned int size); +static int count_setbits(u32 input) +{ + u32 count = 0; + + while (input > 0) { + if ((input & 1) == 1) + count++; + input >>= 1; + } + return count; +} + static void init_codecs(struct venus_core *core) { struct hfi_plat_caps *caps = core->caps, *cap; unsigned long bit; + if ((count_setbits(core->dec_codecs) + count_setbits(core->enc_codecs)) > MAX_CODEC_NUM) + return; + for_each_set_bit(bit, &core->dec_codecs, MAX_CODEC_NUM) { cap = &caps[core->codecs_count++]; cap->codec = BIT(bit);