[07/13] media: s5p-jpeg: prevent buffer overflows

Message ID	16ccf3d588665a5a0dda91cbb04374d6aea99ca6.1729074076.git.mchehab+huawei@kernel.org (mailing list archive)
State	New
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D199206E95; Wed, 16 Oct 2024 10:22:37 +0000 (UTC) From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> To: Cc: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>, Andrzej Pietrasiewicz <andrzejtp2010@gmail.com>, Hans Verkuil <hans.verkuil@cisco.com>, Jacek Anaszewski <jacek.anaszewski@gmail.com>, Mauro Carvalho Chehab <mchehab+huawei@kernel.org>, Sylwester Nawrocki <s.nawrocki@samsung.com>, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows Date: Wed, 16 Oct 2024 12:22:23 +0200 Message-ID: <16ccf3d588665a5a0dda91cbb04374d6aea99ca6.1729074076.git.mchehab+huawei@kernel.org> In-Reply-To: <cover.1729074076.git.mchehab+huawei@kernel.org> References: <cover.1729074076.git.mchehab+huawei@kernel.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Series	Media: fix several issues on drivers \| expand [00/13] Media: fix several issues on drivers [01/13] media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() [02/13] media: v4l2-tpg: prevent the risk of a division by zero [03/13] media: dvbdev: prevent the risk of out of memory access [04/13] media: dvb_frontend: don't play tricks with underflow values [05/13] media: mgb4: protect driver against spectre [06/13] media: av7110: fix a spectre vulnerability [07/13] media: s5p-jpeg: prevent buffer overflows [08/13] media: ar0521: don't overflow when checking PLL values [09/13] media: cx24116: prevent overflows on SNR calculus [10/13] media: adv7604 prevent underflow condition when reporting colorspace [11/13] media: stb0899_algo: initialize cfr before using it [12/13] media: cec: extron-da-hd-4k-plus: don't use -1 as an error code [13/13] media: pulse8-cec: fix data timestamp at pulse8_setup()

Message ID

16ccf3d588665a5a0dda91cbb04374d6aea99ca6.1729074076.git.mchehab+huawei@kernel.org (mailing list archive)

State

New

Headers

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
To: 
Cc: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
	Andrzej Pietrasiewicz <andrzejtp2010@gmail.com>,
	Hans Verkuil <hans.verkuil@cisco.com>,
	Jacek Anaszewski <jacek.anaszewski@gmail.com>,
	Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
	Sylwester Nawrocki <s.nawrocki@samsung.com>,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org,
	linux-media@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows
Date: Wed, 16 Oct 2024 12:22:23 +0200
Message-ID: 
 <16ccf3d588665a5a0dda91cbb04374d6aea99ca6.1729074076.git.mchehab+huawei@kernel.org>
In-Reply-To: <cover.1729074076.git.mchehab+huawei@kernel.org>
References: <cover.1729074076.git.mchehab+huawei@kernel.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

Series

Media: fix several issues on drivers | expand

Commit Message

Mauro Carvalho Chehab Oct. 16, 2024, 10:22 a.m. UTC

The current logic allows word to be less than 2. If this happens,
there will be buffer overflows. Add extra checks to prevent it.

While here, remove an unused word = 0 assignment.

Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
---
 .../media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

Comments

Jacek Anaszewski Oct. 17, 2024, 10:34 a.m. UTC | #1

Hi Mauro,

On 10/16/24 12:22, Mauro Carvalho Chehab wrote:
> The current logic allows word to be less than 2. If this happens,
> there will be buffer overflows. Add extra checks to prevent it.
> 
> While here, remove an unused word = 0 assignment.
> 
> Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
> Cc: stable@vger.kernel.org
> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> ---
>   .../media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++++++------
>   1 file changed, 11 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
> index d2c4a0178b3c..1db4609b3557 100644
> --- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
> +++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
> @@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx)
>   		(unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
>   	jpeg_buffer.curr = 0;
>   
> -	word = 0;
> -
>   	if (get_word_be(&jpeg_buffer, &word))
>   		return;
> -	jpeg_buffer.size = (long)word - 2;
> +
> +	if (word < 2)
> +		jpeg_buffer.size = 0;
> +	else
> +		jpeg_buffer.size = (long)word - 2;
> +
>   	jpeg_buffer.data += 2;
>   	jpeg_buffer.curr = 0;
>   
> @@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_buffer *buf, unsigned int *word)
>   	if (byte == -1)
>   		return -1;
>   	*word = (unsigned int)byte | temp;
> +
>   	return 0;
>   }
>   
> @@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
>   			if (get_word_be(&jpeg_buffer, &word))
>   				break;
>   			length = (long)word - 2;
> -			if (!length)
> +			if (length <= 0)
>   				return false;
>   			sof = jpeg_buffer.curr; /* after 0xffc0 */
>   			sof_len = length;
> @@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
>   			if (get_word_be(&jpeg_buffer, &word))
>   				break;
>   			length = (long)word - 2;
> -			if (!length)
> +			if (length <= 0)
>   				return false;
>   			if (n_dqt >= S5P_JPEG_MAX_MARKER)
>   				return false;
> @@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
>   			if (get_word_be(&jpeg_buffer, &word))
>   				break;
>   			length = (long)word - 2;
> -			if (!length)
> +			if (length <= 0)
>   				return false;
>   			if (n_dht >= S5P_JPEG_MAX_MARKER)
>   				return false;
> @@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
>   			if (get_word_be(&jpeg_buffer, &word))
>   				break;
>   			length = (long)word - 2;
> +			/* No need to check underflows as skip() does it  */
>   			skip(&jpeg_buffer, length);
>   			break;
>   		}

Seems reasonable.

Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>

diff --git a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
index d2c4a0178b3c..1db4609b3557 100644
--- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
+++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
@@ -775,11 +775,14 @@  static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx)
 		(unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
 	jpeg_buffer.curr = 0;
 
-	word = 0;
-
 	if (get_word_be(&jpeg_buffer, &word))
 		return;
-	jpeg_buffer.size = (long)word - 2;
+
+	if (word < 2)
+		jpeg_buffer.size = 0;
+	else
+		jpeg_buffer.size = (long)word - 2;
+
 	jpeg_buffer.data += 2;
 	jpeg_buffer.curr = 0;
 
@@ -1058,6 +1061,7 @@  static int get_word_be(struct s5p_jpeg_buffer *buf, unsigned int *word)
 	if (byte == -1)
 		return -1;
 	*word = (unsigned int)byte | temp;
+
 	return 0;
 }
 
@@ -1145,7 +1149,7 @@  static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
 			if (get_word_be(&jpeg_buffer, &word))
 				break;
 			length = (long)word - 2;
-			if (!length)
+			if (length <= 0)
 				return false;
 			sof = jpeg_buffer.curr; /* after 0xffc0 */
 			sof_len = length;
@@ -1176,7 +1180,7 @@  static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
 			if (get_word_be(&jpeg_buffer, &word))
 				break;
 			length = (long)word - 2;
-			if (!length)
+			if (length <= 0)
 				return false;
 			if (n_dqt >= S5P_JPEG_MAX_MARKER)
 				return false;
@@ -1189,7 +1193,7 @@  static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
 			if (get_word_be(&jpeg_buffer, &word))
 				break;
 			length = (long)word - 2;
-			if (!length)
+			if (length <= 0)
 				return false;
 			if (n_dht >= S5P_JPEG_MAX_MARKER)
 				return false;
@@ -1214,6 +1218,7 @@  static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
 			if (get_word_be(&jpeg_buffer, &word))
 				break;
 			length = (long)word - 2;
+			/* No need to check underflows as skip() does it  */
 			skip(&jpeg_buffer, length);
 			break;
 		}

[07/13] media: s5p-jpeg: prevent buffer overflows

Commit Message

Comments

Patch