From patchwork Thu Jul 27 04:34:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vikash Garodia X-Patchwork-Id: 707373 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2881DEB64DD for ; Thu, 27 Jul 2023 04:35:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231536AbjG0Efx (ORCPT ); Thu, 27 Jul 2023 00:35:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231367AbjG0Efo (ORCPT ); Thu, 27 Jul 2023 00:35:44 -0400 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 921662D4E; Wed, 26 Jul 2023 21:35:31 -0700 (PDT) Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36R3iaVD014865; Thu, 27 Jul 2023 04:35:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=qcppdkim1; bh=svPmzVI+7eFon/1ocEodK5MNmMYxEhx6SeLGE+hwf/s=; b=nA6M0sljBsdXz0X4ZJSUTF7pPeDdcQzJtFrqxnPnNpAb6x1OTVNBz+DoJ7uS3bPgtMSv T55MaxKqL4M1CipQhwB7XhwQ808JCqwxy5tANtKcciu+/bfVeKCuKADDqaChYP71878v BftnKN3cl8h2GWb2S8SM+RUnHAs1qRa4LH0M+eipG1Ghxq8SgDRUEM8iGoKrEeCzH7G8 N0jKOlRusAxwUDX9MjBOu0BmN4P5njuSQoRdGGfYpl237ZSF7bCbZv2tDdgid7AjqlCp VTiwh5bZFPwYW7hX/h4//JzgX4v5wkvOBEAbQ2T4km1U+Lv2BOoNg0zFriW9HwrV665y sQ== Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s336t1ps4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:25 +0000 Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA05.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 36R4ZOCs008336 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 04:35:24 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Wed, 26 Jul 2023 21:35:20 -0700 From: Vikash Garodia To: , , , , , , , CC: , , , , Vikash Garodia Subject: [PATCH 4/4] venus: hfi_parser: Add check to keep the number of codecs within range Date: Thu, 27 Jul 2023 10:04:29 +0530 Message-ID: <1690432469-14803-5-git-send-email-quic_vgarodia@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> References: <1690432469-14803-1-git-send-email-quic_vgarodia@quicinc.com> MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: DxI9Z8gqI8_QxqUSDGZsv-WpMyzurp5r X-Proofpoint-GUID: DxI9Z8gqI8_QxqUSDGZsv-WpMyzurp5r X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-26_08,2023-07-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 clxscore=1015 mlxlogscore=999 adultscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307270041 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Supported codec bitmask is populated from the payload from venus firmware. There is a possible case when all the bits in the codec bitmask is set. In such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized. Now while filling the caps for encoder, it can lead to access the caps array beyong 32 index. Hence leading to OOB write. The fix counts the supported encoder and decoder. If the count is more than max, then it skips accessing the caps. Cc: stable@vger.kernel.org Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_parser.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c index ec73cac..651e215 100644 --- a/drivers/media/platform/qcom/venus/hfi_parser.c +++ b/drivers/media/platform/qcom/venus/hfi_parser.c @@ -14,11 +14,26 @@ typedef void (*func)(struct hfi_plat_caps *cap, const void *data, unsigned int size); +static int count_setbits(u32 input) +{ + u32 count = 0; + + while (input > 0) { + if ((input & 1) == 1) + count++; + input >>= 1; + } + return count; +} + static void init_codecs(struct venus_core *core) { struct hfi_plat_caps *caps = core->caps, *cap; unsigned long bit; + if ((count_setbits(core->dec_codecs) + count_setbits(core->enc_codecs)) > MAX_CODEC_NUM) + return; + for_each_set_bit(bit, &core->dec_codecs, MAX_CODEC_NUM) { cap = &caps[core->codecs_count++]; cap->codec = BIT(bit);