From patchwork Thu Nov 28 05:05:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vikash Garodia X-Patchwork-Id: 13887689 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BDA613D893; Thu, 28 Nov 2024 05:05:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732770340; cv=none; b=rtO8k6DoVhu4vfPup0fIEqmjQEbESmtDGE/WRoLQLzC/cyTicAtsUG9eNqLKCKzh1qSPtyfPrP56VJ0pD9+pFvy1lzedKjO47glXIY4jkORpabZbluo8+2qB1V4DSWu65MYzs5kfEZwiYoJeHfo6pkQInEuJfiPO0P1ITr4KG+g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732770340; c=relaxed/simple; bh=fNHU+7Khoi1sWwvyzvZ7mMCWDf62+ZMBgq5o6LZY6Ok=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=vCkA1WQ//o5+M7CYNc5JYBduSJR96N+gy3Yq4ZaMxDPioXKoQ8n8/1hdMJgLBBq1L+6X3UPDR2pK0Rs2XV3N6kgvynIhVkcSZDZ6rx5b59TZsnPPxHbHScOqlklFpqRtA2tI3PlT+Ube3fFcNnfhoXH4TMCNf8paWZJE8XP4jVE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=MyZd2ybC; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="MyZd2ybC" Received: from pps.filterd (m0279862.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4ARGQp62028646; Thu, 28 Nov 2024 05:05:27 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= /SzrY/qrhDl/no6+92M34M3F2ytZ4+21hmBn1SvPs3k=; b=MyZd2ybC9aEHtgef 0iy5ODErzsKD96sF14D9540Y2J86jMRUElmb8dG5mcy/FgGqyPBxFRD9lRQHkRtF L0Gollvy9brXphYngIu4nlw73Z53KrmkuR6jJx5dz/zRX+5OG6ltSE7bGRJrBAPm 9OkP9YwXhPn0ULQ/tAAsaCYumaltpOIGBmufIpznlsmINvpGI3wGM+XwfQW32ziU P8PzDrVk0Sdkjw/xfh9eUQOuZoYFZ7hd+XxpIKLLBfUcaF7ksjv4ZIlOBzhk8eC/ xVWCa0nCF7WxL2rFYQUWWKMiaEZW5dge5z2RXrCtVjDqe8vrUTpih0X5Lc2wZeBW 0CA94Q== Received: from nasanppmta04.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4366xwscat-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Nov 2024 05:05:26 +0000 (GMT) Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA04.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 4AS55QB5003047 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Nov 2024 05:05:26 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Wed, 27 Nov 2024 21:05:22 -0800 From: Vikash Garodia Date: Thu, 28 Nov 2024 10:35:11 +0530 Subject: [PATCH v2 1/4] media: venus: hfi_parser: add check to avoid out of bound access Precedence: bulk X-Mailing-List: linux-arm-msm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <20241128-venus_oob_2-v2-1-483ae0a464b8@quicinc.com> References: <20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com> In-Reply-To: <20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com> To: Stanimir Varbanov , Bryan O'Donoghue , Mauro Carvalho Chehab , Tomasz Figa , Hans Verkuil CC: Stanimir Varbanov , Mauro Carvalho Chehab , Dmitry Baryshkov , , , , Vikash Garodia , X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1732770318; l=1208; i=quic_vgarodia@quicinc.com; s=20241104; h=from:subject:message-id; bh=fNHU+7Khoi1sWwvyzvZ7mMCWDf62+ZMBgq5o6LZY6Ok=; b=F5PK1bwvYsNFqDM4BBznum85afpQA2W2Pl59s/3tC/Z+h6dYlc2n7TEwW04v9tcQwJfzp0VGI j5tDWnx5QzcCpCJC1wn6wnzpK4bnecSH6bdLVbLXLingDA242BfPY+u X-Developer-Key: i=quic_vgarodia@quicinc.com; a=ed25519; pk=LY9Eqp4KiHWxzGNKGHbwRFEJOfRCSzG/rxQNmvZvaKE= X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: g6c8OSjScI_srl1Xt5j7X-SvqqVpQrMZ X-Proofpoint-ORIG-GUID: g6c8OSjScI_srl1Xt5j7X-SvqqVpQrMZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-06_09,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 adultscore=0 priorityscore=1501 mlxscore=0 clxscore=1011 lowpriorityscore=0 mlxlogscore=999 suspectscore=0 phishscore=0 malwarescore=0 impostorscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2411120000 definitions=main-2411280039 There is a possibility that init_codecs is invoked multiple times during manipulated payload from video firmware. In such case, if codecs_count can get incremented to value more than MAX_CODEC_NUM, there can be OOB access. Reset the count so that it always starts from beginning. Cc: stable@vger.kernel.org Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") Signed-off-by: Vikash Garodia Reviewed-by: Bryan O'Donoghue --- drivers/media/platform/qcom/venus/hfi_parser.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c index 3df241dc3a118bcdeb2c28a6ffdb907b644d5653..1cc17f3dc8948160ea6c3015d2c03e475b8aa29e 100644 --- a/drivers/media/platform/qcom/venus/hfi_parser.c +++ b/drivers/media/platform/qcom/venus/hfi_parser.c @@ -17,6 +17,7 @@ typedef void (*func)(struct hfi_plat_caps *cap, const void *data, static void init_codecs(struct venus_core *core) { struct hfi_plat_caps *caps = core->caps, *cap; + core->codecs_count = 0; unsigned long bit; if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM) From patchwork Thu Nov 28 05:05:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vikash Garodia X-Patchwork-Id: 13887688 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E51E1FAA; Thu, 28 Nov 2024 05:05:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732770338; cv=none; b=txvEk3GxOQ9lHey7/mm/pkTyye95qynEw6xYiD6PTlmbgwODatSrQLAahKHXGsCbcUlJcfsrmoi8q5VyRvoqRKub4uHBi37Rie4rZxYdVmg8sFqUKyr6AIzcLzLIzT3hRFXIDZ44H0pearQXexOCG5rKUBWnmBZSpXud6z8XwBc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732770338; c=relaxed/simple; bh=1abPHHaOsFiT2AQfqpZsBixI9UnWqdtG8QeiGTPDS3Y=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=mp5IEDpaqZmgYee4g6GCoKUsM656FtDD1Cje2u+fOgO6eCOxhVowhz0xWDnK/lZGaun5BM72Za7YzK77jucEiDpI5jl4qmpu2yiftxZuWOvOyByMFn2VBT+3QLOyqOf/gMz01zRQkWcwSkcdkiIWg8mFbB6liJ29WuxHuUKa6sc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=T4+xRzL+; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="T4+xRzL+" Received: from pps.filterd (m0279872.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4ARGQahO004471; Thu, 28 Nov 2024 05:05:31 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= mPfvUJnChTzJRALB+nmVbz0u/4AZKdtha0AiqiMd+nQ=; b=T4+xRzL+1aPCvit1 V0whBDgpcaMwq2490+NhJq+EKJWCNEtkg+G4XrjUAKyUc+XPQiWe4P3dghAiwpdL UPOI5iz2CJbOOmYtns3tx3yEATcazJcrCIFv536P4R5gQrVkemH5FPMc9HXfmH2w /WVwTEqot3sCIVtzva/OEhoTqVP/540HRaIC1aZFkSCuYkFGzVd/IrSL4KB/iJ3q gnPkLPtXhu6BE5o/RBap4dGGkug8LVe7Dsg4v8IoML+p4U7sP6xRk1fRMjwYov8I SdocTuvJHs59Qa12l6ImplZMUflVtQ1ilxM3GvhdbuTYQuFCb7mC5o0zG6A5v7rE EVCDxw== Received: from nasanppmta01.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4366xvhd06-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Nov 2024 05:05:30 +0000 (GMT) Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA01.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 4AS55Tx8013898 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Nov 2024 05:05:30 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Wed, 27 Nov 2024 21:05:26 -0800 From: Vikash Garodia Date: Thu, 28 Nov 2024 10:35:12 +0530 Subject: [PATCH v2 2/4] media: venus: hfi_parser: avoid OOB access beyond payload word count Precedence: bulk X-Mailing-List: linux-arm-msm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <20241128-venus_oob_2-v2-2-483ae0a464b8@quicinc.com> References: <20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com> In-Reply-To: <20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com> To: Stanimir Varbanov , Bryan O'Donoghue , Mauro Carvalho Chehab , Tomasz Figa , Hans Verkuil CC: Stanimir Varbanov , Mauro Carvalho Chehab , Dmitry Baryshkov , , , , Vikash Garodia , X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1732770318; l=4462; i=quic_vgarodia@quicinc.com; s=20241104; h=from:subject:message-id; bh=1abPHHaOsFiT2AQfqpZsBixI9UnWqdtG8QeiGTPDS3Y=; b=bP1h9ZpaCdm3HYwJ33U1yD9hvpv8U0/zaV3vgiEvpSbymuERgtqvFD4gfsSkRL0YFh+6SQNEU 2QHbLjj6j9/D6ZonmdxqY7avOXiWsLoXGohY8he50z85/NuKhXmyH76 X-Developer-Key: i=quic_vgarodia@quicinc.com; a=ed25519; pk=LY9Eqp4KiHWxzGNKGHbwRFEJOfRCSzG/rxQNmvZvaKE= X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: jpMVbGHwHIIU4UjBMr91EkIJ288LW8IQ X-Proofpoint-ORIG-GUID: jpMVbGHwHIIU4UjBMr91EkIJ288LW8IQ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-06_09,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 mlxlogscore=999 clxscore=1011 adultscore=0 lowpriorityscore=0 suspectscore=0 mlxscore=0 spamscore=0 impostorscore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2411120000 definitions=main-2411280039 words_count denotes the number of words in total payload, while data points to payload of various property within it. When words_count reaches last word, data can access memory beyond the total payload. This can lead to OOB access. Refactor the parsing logic such that the remaining payload is checked before parsing it. Cc: stable@vger.kernel.org Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_parser.c | 57 +++++++++++++++++++++----- 1 file changed, 46 insertions(+), 11 deletions(-) diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c index 1cc17f3dc8948160ea6c3015d2c03e475b8aa29e..14349c2f84b205a8b79dee3acff1408bb63ac54a 100644 --- a/drivers/media/platform/qcom/venus/hfi_parser.c +++ b/drivers/media/platform/qcom/venus/hfi_parser.c @@ -282,8 +282,8 @@ static int hfi_platform_parser(struct venus_core *core, struct venus_inst *inst) u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf, u32 size) { + u32 *words = buf, *payload, codecs = 0, domain = 0; unsigned int words_count = size >> 2; - u32 *word = buf, *data, codecs = 0, domain = 0; int ret; ret = hfi_platform_parser(core, inst); @@ -301,36 +301,71 @@ u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf, } while (words_count) { - data = word + 1; + payload = words + 1; - switch (*word) { + switch (*words) { case HFI_PROPERTY_PARAM_CODEC_SUPPORTED: - parse_codecs(core, data); + if (words_count < sizeof(struct hfi_codec_supported)) + return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; + + parse_codecs(core, payload); init_codecs(core); + words_count -= sizeof(struct hfi_codec_supported); + words += sizeof(struct hfi_codec_supported); break; case HFI_PROPERTY_PARAM_MAX_SESSIONS_SUPPORTED: - parse_max_sessions(core, data); + if (words_count < sizeof(struct hfi_max_sessions_supported)) + return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; + + parse_max_sessions(core, payload); + words_count -= sizeof(struct hfi_max_sessions_supported); + words += sizeof(struct hfi_max_sessions_supported); break; case HFI_PROPERTY_PARAM_CODEC_MASK_SUPPORTED: - parse_codecs_mask(&codecs, &domain, data); + if (words_count < sizeof(struct hfi_codec_mask_supported)) + return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; + + parse_codecs_mask(&codecs, &domain, payload); + words_count -= sizeof(struct hfi_codec_mask_supported); + words += sizeof(struct hfi_codec_mask_supported); break; case HFI_PROPERTY_PARAM_UNCOMPRESSED_FORMAT_SUPPORTED: - parse_raw_formats(core, codecs, domain, data); + if (words_count < sizeof(struct hfi_uncompressed_format_supported)) + return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; + + parse_raw_formats(core, codecs, domain, payload); + words_count -= sizeof(struct hfi_uncompressed_format_supported); + words += sizeof(struct hfi_uncompressed_format_supported); break; case HFI_PROPERTY_PARAM_CAPABILITY_SUPPORTED: - parse_caps(core, codecs, domain, data); + if (words_count < sizeof(struct hfi_capabilities)) + return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; + + parse_caps(core, codecs, domain, payload); + words_count -= sizeof(struct hfi_capabilities); + words += sizeof(struct hfi_capabilities); break; case HFI_PROPERTY_PARAM_PROFILE_LEVEL_SUPPORTED: - parse_profile_level(core, codecs, domain, data); + if (words_count < sizeof(struct hfi_profile_level_supported)) + return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; + + parse_profile_level(core, codecs, domain, payload); + words_count -= sizeof(struct hfi_profile_level_supported); + words += sizeof(struct hfi_profile_level_supported); break; case HFI_PROPERTY_PARAM_BUFFER_ALLOC_MODE_SUPPORTED: - parse_alloc_mode(core, codecs, domain, data); + if (words_count < sizeof(struct hfi_buffer_alloc_mode_supported)) + return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; + + parse_alloc_mode(core, codecs, domain, payload); + words_count -= sizeof(struct hfi_buffer_alloc_mode_supported); + words += sizeof(struct hfi_buffer_alloc_mode_supported); break; default: break; } - word++; + words++; words_count--; } From patchwork Thu Nov 28 05:05:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vikash Garodia X-Patchwork-Id: 13887690 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0D9D146590; Thu, 28 Nov 2024 05:05:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732770341; cv=none; b=qtn9tQDH1e5GJyghJGKmtw/XyRcBONAalxU7meomUaqM6TOeWZOKCUR02xXHFVY6fwg8SxXin3aSWnFMQCZ3ruG6ieg1lguInxH1FCsh1BH+9jyDNN5dIUFKGC/QYhnqjYPbE4eCR2gmIgbauiq/phTM5KLCIXIgVVaarJfgUIA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732770341; c=relaxed/simple; bh=jyxVh72zpOzeJT4UKUZq97UvMPLjQY6a4C2jg+FkD5o=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=aI0PwhWb/MU5hkdpRBQYccmY3p4s8nU0aC3J797slNyhQYBp8Ec7y/cDXSMXhl2mQsD7YSGTOL9d4Cssu6Kb8SWll9H4Lo0fROAcx2TjzaFQXGGwhDm+mOGNyMagocecnFl2ZfEGtBMTjCoJKpIykiTzlsqZHVo7trS0FJO/o+w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=a6sBLb6g; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="a6sBLb6g" Received: from pps.filterd (m0279868.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4ARGS8Xx020148; Thu, 28 Nov 2024 05:05:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= QNoEP/x9RjeXJQhOtJc2kXmTr7UWnAk64kC/+PqHe+s=; b=a6sBLb6ggB2x2I7E mfIsPUf8S9k++t6ZSLSRMR+7HYdptMJ1cWTHBf+MGdTYKItOZuqO6K5PC+ltB+wN xsAuWqY7auRkoWDY66anwNPXcFJMstGDqMPKLf8KYnTN3vjtPsFj18s1dHwWPNZ+ SgBBC6EkTplj+eh7U9BJYIY6W/nn9D1J2Jm+UtQZBqwl6iCpuaByEvi7vRPVIkFy jGb2oFPUae3QJiwXWjuv1vU+RPcu7RPwk+074UiSjMpJDetGMFi4YO3t98ZJWmkh EK8mp3HE++U/NKEDYanVCye2G1cXjKPAZ1g7hgEjUyuLaV3I/sNn9/w8v6LDoSbg ZpUtRQ== Received: from nasanppmta02.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4366y01cbw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Nov 2024 05:05:34 +0000 (GMT) Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA02.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 4AS55XTO023566 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Nov 2024 05:05:33 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Wed, 27 Nov 2024 21:05:30 -0800 From: Vikash Garodia Date: Thu, 28 Nov 2024 10:35:13 +0530 Subject: [PATCH v2 3/4] media: venus: hfi: add check to handle incorrect queue size Precedence: bulk X-Mailing-List: linux-arm-msm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <20241128-venus_oob_2-v2-3-483ae0a464b8@quicinc.com> References: <20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com> In-Reply-To: <20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com> To: Stanimir Varbanov , Bryan O'Donoghue , Mauro Carvalho Chehab , Tomasz Figa , Hans Verkuil CC: Stanimir Varbanov , Mauro Carvalho Chehab , Dmitry Baryshkov , , , , Vikash Garodia , X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1732770318; l=1783; i=quic_vgarodia@quicinc.com; s=20241104; h=from:subject:message-id; bh=jyxVh72zpOzeJT4UKUZq97UvMPLjQY6a4C2jg+FkD5o=; b=WtY55EEy1ovO7sc0lUafkMoUignvg9EStZi5y6LBX3Tot6bit6pI/xZqlMlcsLH47tls0WcF5 S29SJThCX4pDmE4/CMDU5NbZ8SJRjs6nBQWSc7qYBX5LDN3M5hLha37 X-Developer-Key: i=quic_vgarodia@quicinc.com; a=ed25519; pk=LY9Eqp4KiHWxzGNKGHbwRFEJOfRCSzG/rxQNmvZvaKE= X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: m4iJS9lm8rB6xMcLPLCdzpeUV6Wxdi_A X-Proofpoint-GUID: m4iJS9lm8rB6xMcLPLCdzpeUV6Wxdi_A X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-06_09,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 phishscore=0 priorityscore=1501 bulkscore=0 malwarescore=0 adultscore=0 suspectscore=0 mlxlogscore=703 spamscore=0 mlxscore=0 lowpriorityscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2411120000 definitions=main-2411280039 qsize represents size of shared queued between driver and video firmware. Firmware can modify this value to an invalid large value. In such situation, empty_space will be bigger than the space actually available. Since new_wr_idx is not checked, so the following code will result in an OOB write. ... qsize = qhdr->q_size if (wr_idx >= rd_idx) empty_space = qsize - (wr_idx - rd_idx) .... if (new_wr_idx < qsize) { memcpy(wr_ptr, packet, dwords << 2) --> OOB write Add check to ensure qsize is within the allocated size while reading and writing packets into the queue. Cc: stable@vger.kernel.org Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") Reviewed-by: Bryan O'Donoghue Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_venus.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c index f9437b6412b91c2483670a2b11f4fd43f3206404..6b615270c5dae470c6fad408c9b5bc037883e56e 100644 --- a/drivers/media/platform/qcom/venus/hfi_venus.c +++ b/drivers/media/platform/qcom/venus/hfi_venus.c @@ -187,6 +187,9 @@ static int venus_write_queue(struct venus_hfi_device *hdev, /* ensure rd/wr indices's are read from memory */ rmb(); + if (qsize > IFACEQ_QUEUE_SIZE / 4) + return -EINVAL; + if (wr_idx >= rd_idx) empty_space = qsize - (wr_idx - rd_idx); else @@ -255,6 +258,9 @@ static int venus_read_queue(struct venus_hfi_device *hdev, wr_idx = qhdr->write_idx; qsize = qhdr->q_size; + if (qsize > IFACEQ_QUEUE_SIZE / 4) + return -EINVAL; + /* make sure data is valid before using it */ rmb(); From patchwork Thu Nov 28 05:05:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vikash Garodia X-Patchwork-Id: 13887691 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8998914A0B7; Thu, 28 Nov 2024 05:05:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732770345; cv=none; b=ZgKuunC9ft1b7qTo6iRaDlrre0AdBD0aqigrJEHphcVm/giEaJiZaiQJvSJ4tIhVu+Mm1/663cmfnY8kBsXKr/Kn43GD50QHxjmPywVAOlQQ+O1JmVLnZENYZeNSirvOSoHo/HfKa4McWWEb5owxSXxAgSjbu0fByLmNgtT03H4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732770345; c=relaxed/simple; bh=momNFG7HmrlvZT1BkDBQhwhSFM+A1S+Ius0MDXLSgYE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=n78aBxScbPrYCssdxrbJ59bLS0iF+LjnOTsG8RurrrDix4Hvh0M4bP8jfzwasEWIcqHARU/Y3vFw0hO2qYs7KGblJvHKfXAdESd1aaDRhVEN4n6z8R149vVje9vAmc1bJg8F0JnSVQBKEWQTp0/7qVx6z9Nbud8f9uoaICBoy7k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=GWFCXK1r; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="GWFCXK1r" Received: from pps.filterd (m0279870.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 4ARGQqFN029608; Thu, 28 Nov 2024 05:05:38 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= dwccvR0I8r73vh8lHYvXtH8o48ByEI6FWFPxtm9adwg=; b=GWFCXK1rLmso1+BL UjjuHoET//5Q4dig1Xg6WQxtMG60sYQDjmWph3GihGixcaUe8wUKeSABNF83lnZk UzYXog9pr254VaWogHtSw6tRpOTCgoEOGvLiaGMH4Fs80NZDMtO4tEmxxgOu2jqp zKJtDmM1vQAnv7j9INSwzG9vpaBPqwJGH+l2LpRJqNElNTt8dtaS1re7mM0oXePq bDqCsVSIiscsaxgsuCbFu5tHXWxI4+xXMzF5mov3aaasqYLaqer6EY9IHP6vHHki QdLD5ZrGTkXlNtBq9UUXtC0sBAnkH7qPDgWEhDw0z4PVrfO1ZclcASObokx6zCZq +9ONfA== Received: from nasanppmta01.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4366xxhd1d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Nov 2024 05:05:38 +0000 (GMT) Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA01.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 4AS55bX5013967 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Nov 2024 05:05:37 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Wed, 27 Nov 2024 21:05:33 -0800 From: Vikash Garodia Date: Thu, 28 Nov 2024 10:35:14 +0530 Subject: [PATCH v2 4/4] media: venus: hfi: add a check to handle OOB in sfr region Precedence: bulk X-Mailing-List: linux-arm-msm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <20241128-venus_oob_2-v2-4-483ae0a464b8@quicinc.com> References: <20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com> In-Reply-To: <20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com> To: Stanimir Varbanov , Bryan O'Donoghue , Mauro Carvalho Chehab , Tomasz Figa , Hans Verkuil CC: Stanimir Varbanov , Mauro Carvalho Chehab , Dmitry Baryshkov , , , , Vikash Garodia , X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1732770318; l=1564; i=quic_vgarodia@quicinc.com; s=20241104; h=from:subject:message-id; bh=momNFG7HmrlvZT1BkDBQhwhSFM+A1S+Ius0MDXLSgYE=; b=o3cddvPifdHMpz/sY3bPYGoPg1oAz/6fk1tbBC4Vk5DnMT1IVGki7QvwC8D1vPBQX5TEreMRK 7UdlnLeqj74AcEz/1jwwc2/AQTQpK0xSwnHYAWAFdLlc7+D8z03DSCc X-Developer-Key: i=quic_vgarodia@quicinc.com; a=ed25519; pk=LY9Eqp4KiHWxzGNKGHbwRFEJOfRCSzG/rxQNmvZvaKE= X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: bWmMskfo2w9Z3UX6TvkjcIl4Ygu_Qvje X-Proofpoint-ORIG-GUID: bWmMskfo2w9Z3UX6TvkjcIl4Ygu_Qvje X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-06_09,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 adultscore=0 lowpriorityscore=0 impostorscore=0 bulkscore=0 mlxscore=0 malwarescore=0 priorityscore=1501 spamscore=0 mlxlogscore=968 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2411120000 definitions=main-2411280039 sfr->buf_size is in shared memory and can be modified by malicious user. OOB write is possible when the size is made higher than actual sfr data buffer. Cap the size to allocated size for such cases. Cc: stable@vger.kernel.org Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") Reviewed-by: Bryan O'Donoghue Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_venus.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c index 6b615270c5dae470c6fad408c9b5bc037883e56e..c3113420d266e61fcab44688580288d7408b50f4 100644 --- a/drivers/media/platform/qcom/venus/hfi_venus.c +++ b/drivers/media/platform/qcom/venus/hfi_venus.c @@ -1041,18 +1041,23 @@ static void venus_sfr_print(struct venus_hfi_device *hdev) { struct device *dev = hdev->core->dev; struct hfi_sfr *sfr = hdev->sfr.kva; + u32 size; void *p; if (!sfr) return; - p = memchr(sfr->data, '\0', sfr->buf_size); + size = sfr->buf_size; + if (size > ALIGNED_SFR_SIZE) + size = ALIGNED_SFR_SIZE; + + p = memchr(sfr->data, '\0', size); /* * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates * that Venus is in the process of crashing. */ if (!p) - sfr->data[sfr->buf_size - 1] = '\0'; + sfr->data[size - 1] = '\0'; dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data); }