| Message ID | 1691634304-2158-3-git-send-email-quic_vgarodia@quicinc.com |
|---|---|
| State | Accepted |
| Commit | b18e36dfd6c935da60a971310374f3dfec3c82e1 |
| Headers | show |
| Series | Venus driver fixes to avoid possible OOB accesses | expand |
On 10/08/2023 03:25, Vikash Garodia wrote: > Buffer requirement, for different buffer type, comes from video firmware. > While copying these requirements, there is an OOB possibility when the > payload from firmware is more than expected size. Fix the check to avoid > the OOB possibility. > > Cc: stable@vger.kernel.org > Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") > Reviewed-by: Nathan Hebert <nhebert@chromium.org> > Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> > --- > drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c > index 3d5dadf..3e85bd8 100644 > --- a/drivers/media/platform/qcom/venus/hfi_msgs.c > +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c > @@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt, > memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); > idx++; > > - if (idx > HFI_BUFFER_TYPE_MAX) > + if (idx >= HFI_BUFFER_TYPE_MAX) > return HFI_ERR_SESSION_INVALID_PARAMETER; > > req_bytes -= sizeof(struct hfi_buffer_requirements); Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 3d5dadf..3e85bd8 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt, memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); idx++; - if (idx > HFI_BUFFER_TYPE_MAX) + if (idx >= HFI_BUFFER_TYPE_MAX) return HFI_ERR_SESSION_INVALID_PARAMETER; req_bytes -= sizeof(struct hfi_buffer_requirements);
Buffer requirement, for different buffer type, comes from video firmware. While copying these requirements, there is an OOB possibility when the payload from firmware is more than expected size. Fix the check to avoid the OOB possibility. Cc: stable@vger.kernel.org Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Reviewed-by: Nathan Hebert <nhebert@chromium.org> Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> --- drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)