Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

media: venus: hfi: add a check to handle OOB in sfr region

sfr->buf_size is in shared memory and can be modified by malicious user.
OOB write is possible when the size is made higher than actual sfr data
buffer. Cap the size to allocated size for such cases.

Cc: stable@vger.kernel.org
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>

authored by

Vikash Garodia and committed by
Hans Verkuil
f4b21171 69baf245

+10 -2
+10 -2
drivers/media/platform/qcom/venus/hfi_venus.c
··· 1041 1041 { 1042 1042 struct device *dev = hdev->core->dev; 1043 1043 struct hfi_sfr *sfr = hdev->sfr.kva; 1044 + u32 size; 1044 1045 void *p; 1045 1046 1046 1047 if (!sfr) 1047 1048 return; 1048 1049 1049 - p = memchr(sfr->data, '\0', sfr->buf_size); 1050 + size = sfr->buf_size; 1051 + if (!size) 1052 + return; 1053 + 1054 + if (size > ALIGNED_SFR_SIZE) 1055 + size = ALIGNED_SFR_SIZE; 1056 + 1057 + p = memchr(sfr->data, '\0', size); 1050 1058 /* 1051 1059 * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates 1052 1060 * that Venus is in the process of crashing. 1053 1061 */ 1054 1062 if (!p) 1055 - sfr->data[sfr->buf_size - 1] = '\0'; 1063 + sfr->data[size - 1] = '\0'; 1056 1064 1057 1065 dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data); 1058 1066 }