From patchwork Thu Feb 20 17:20:11 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vikash Garodia <quic_vgarodia@quicinc.com>
X-Patchwork-Id: 866953
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
 [205.220.180.131])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by smtp.subspace.kernel.org (Postfix) with ESMTPS id B4AAE214232;
 Thu, 20 Feb 2025 17:21:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.180.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
 t=1740072062; cv=none;
 b=cvqoF4lTeuf5RiLpVFWHLEFEHEROlFhndPAT8GIDwd5FwMhqgsg4uepBc7tVEoij42TY6O+MnSqgdOMFaHFgPVsO3DAwYjjzVm4KGfcuQrHG6lJr/Ol7Uym2q7DsDwg894M5F2TNlg/7joH35Ov1ZMItNFohggEmweik8dLyc/A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
 s=arc-20240116; t=1740072062; c=relaxed/simple;
 bh=LkZ8pI84U/9kAaduOXRZY8k8VUWS/C02iCLVHt+jVkI=;
 h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References:
 In-Reply-To:To:CC;
 b=qqvblH6dhF36h/u26Hv7ITZ1HaniYZzJK8DnigpGTEySHbFHrC6XMwWLGUIbkgtPky95kMBw93zxRklSbjbmRbYmRAqhn/SR50oBo5vgUXvYqdGgCNlk+BVQgsWUwW/8xYXIdBiAir1bn9Z1hUgJbpKnLBpJMIWeqc1cMqSoWO0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com;
 spf=pass smtp.mailfrom=quicinc.com;
 dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b=pHqq7xYs; arc=none smtp.client-ip=205.220.180.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=quicinc.com
Authentication-Results: smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com
 header.b="pHqq7xYs"
Received: from pps.filterd (m0279872.ppops.net [127.0.0.1])
 by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 51KFX7Dt011183; Thu, 20 Feb 2025 17:20:56 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=
 cc:content-transfer-encoding:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to; s=qcppdkim1; bh=
 jRPDAc8074s/X+XmlhCqpA0yiW+yZCJFuWdqVnM+YhI=; b=pHqq7xYsigJioX6G
 s9Ao/dDsHoWG4a4QU52EOb+AskvICmtQPXnD4r2YSyoESeDI6dH+poebmtSBcm3z
 //WsesgBk4y2E1LXqSIaqi+Sust9QP+nlTHKdjvZlJu55HFm/cB9wpYHFg2pFSwf
 dllGSYbgaCFt+p4UaDADGsk/FMMH+KsINkCSN+5SOOrAZw/AnWxNeXIUh9XcCtT7
 Vu9GhgB0mVzDGELuR436ZNCA8EUThNxaT7S7eilhxv/40sSOegu7PyApXrrKhzS5
 vcG0LFqT7cjtvyt/qoO00ZmDWnGKxu0UqAR8uqY+BrD6jiYBDiPbCEgav1FSPPrR
 2+6sSg==
Received: from nasanppmta05.qualcomm.com (i-global254.qualcomm.com
 [199.106.103.254])
 by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 44vyy1xxmy-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Thu, 20 Feb 2025 17:20:55 +0000 (GMT)
Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com
 [10.52.223.231])
 by NASANPPMTA05.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id
 51KHKsKc029300
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Thu, 20 Feb 2025 17:20:54 GMT
Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by
 nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.9; Thu, 20 Feb 2025 09:20:50 -0800
From: Vikash Garodia <quic_vgarodia@quicinc.com>
Date: Thu, 20 Feb 2025 22:50:11 +0530
Subject: [PATCH v5 4/4] media: venus: hfi: add a check to handle OOB in sfr
 region
Precedence: bulk
X-Mailing-List: linux-media@vger.kernel.org
List-Id: <linux-media.vger.kernel.org>
List-Subscribe: <mailto:linux-media+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-media+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Message-ID: <20250220-venus_oob_2-v5-4-4d29347c669a@quicinc.com>
References: <20250220-venus_oob_2-v5-0-4d29347c669a@quicinc.com>
In-Reply-To: <20250220-venus_oob_2-v5-0-4d29347c669a@quicinc.com>
To: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>, Bryan O'Donoghue
 <bryan.odonoghue@linaro.org>, Mauro Carvalho Chehab <mchehab@kernel.org>,
 Tomasz Figa <tfiga@chromium.org>, Hans Verkuil <hans.verkuil@cisco.com>
CC: Stanimir Varbanov <stanimir.varbanov@linaro.org>, Mauro Carvalho Chehab
 <mchehab+samsung@kernel.org>,
 Dmitry Baryshkov <dmitry.baryshkov@linaro.org>,
 <linux-media@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>,
 <linux-kernel@vger.kernel.org>,
 Vikash Garodia <quic_vgarodia@quicinc.com>, <stable@vger.kernel.org>
X-Mailer: b4 0.14.2
X-Developer-Signature: v=1; a=ed25519-sha256; t=1740072035; l=1598;
 i=quic_vgarodia@quicinc.com; s=20241104; h=from:subject:message-id;
 bh=LkZ8pI84U/9kAaduOXRZY8k8VUWS/C02iCLVHt+jVkI=;
 b=KiKQgNmHnhZw9YsqpqeFyuUc4Pdd2AjiHAO4JIFFMdFnwbN2uEbL6icD+k2oCAwTi3uFpMnhT
 FMEFOz6ehteAHohRqidNGQrFaTeudHlBrkhXU9LJlWMwujgGnoEaW1Y
X-Developer-Key: i=quic_vgarodia@quicinc.com; a=ed25519;
 pk=LY9Eqp4KiHWxzGNKGHbwRFEJOfRCSzG/rxQNmvZvaKE=
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nasanex01a.na.qualcomm.com (10.52.223.231)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
 signatures=585085
X-Proofpoint-GUID: DGoiH8-xPF9g9PXLBshLLknGRdRr6j2s
X-Proofpoint-ORIG-GUID: DGoiH8-xPF9g9PXLBshLLknGRdRr6j2s
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-02-20_07,2025-02-20_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 clxscore=1015 adultscore=0
 bulkscore=0 phishscore=0 suspectscore=0 malwarescore=0 spamscore=0
 priorityscore=1501 impostorscore=0 lowpriorityscore=0 mlxscore=0
 mlxlogscore=979 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2502100000 definitions=main-2502200121

sfr->buf_size is in shared memory and can be modified by malicious user.
OOB write is possible when the size is made higher than actual sfr data
buffer. Cap the size to allocated size for such cases.

Cc: stable@vger.kernel.org
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
---
 drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c
index 6b615270c5dae470c6fad408c9b5bc037883e56e..ab93757fff4b31910f05831170ca1a54f4925b2b 100644
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -1041,18 +1041,26 @@ static void venus_sfr_print(struct venus_hfi_device *hdev)
 {
 	struct device *dev = hdev->core->dev;
 	struct hfi_sfr *sfr = hdev->sfr.kva;
+	u32 size;
 	void *p;
 
 	if (!sfr)
 		return;
 
-	p = memchr(sfr->data, '\0', sfr->buf_size);
+	size = sfr->buf_size;
+	if (!size)
+		return;
+
+	if (size > ALIGNED_SFR_SIZE)
+		size = ALIGNED_SFR_SIZE;
+
+	p = memchr(sfr->data, '\0', size);
 	/*
 	 * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates
 	 * that Venus is in the process of crashing.
 	 */
 	if (!p)
-		sfr->data[sfr->buf_size - 1] = '\0';
+		sfr->data[size - 1] = '\0';
 
 	dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data);
 }