| Message ID | 1690432469-14803-3-git-send-email-quic_vgarodia@quicinc.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Venus driver fixes to avoid possible OOB accesses | expand |
On Wed, Jul 26, 2023 at 9:35 PM Vikash Garodia <quic_vgarodia@quicinc.com> wrote: > > Buffer requirement, for different buffer type, comes from video firmware. > While copying these requirements, there is an OOB possibility when the > payload from firmware is more than expected size. Fix the check to avoid > the OOB possibility. > > Cc: stable@vger.kernel.org > Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") > Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> > --- > drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c > index 3d5dadf..3e85bd8 100644 > --- a/drivers/media/platform/qcom/venus/hfi_msgs.c > +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c > @@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt, > memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); > idx++; > > - if (idx > HFI_BUFFER_TYPE_MAX) > + if (idx >= HFI_BUFFER_TYPE_MAX) > return HFI_ERR_SESSION_INVALID_PARAMETER; > > req_bytes -= sizeof(struct hfi_buffer_requirements); > -- > The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, > a Linux Foundation Collaborative Project > The fix makes sense to me. Reviewed-by: Nathan Hebert <nhebert@chromium.org> Best regards, Nathan Hebert
diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 3d5dadf..3e85bd8 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt, memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); idx++; - if (idx > HFI_BUFFER_TYPE_MAX) + if (idx >= HFI_BUFFER_TYPE_MAX) return HFI_ERR_SESSION_INVALID_PARAMETER; req_bytes -= sizeof(struct hfi_buffer_requirements);
Buffer requirement, for different buffer type, comes from video firmware. While copying these requirements, there is an OOB possibility when the payload from firmware is more than expected size. Fix the check to avoid the OOB possibility. Cc: stable@vger.kernel.org Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> --- drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)