drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 +++++++ 1 file changed, 7 insertions(+)
variable *nplanes is provided by user via system call argument. The
possible value of q_data->fmt->num_planes is 1-3, while the value
of *nplanes can be 1-8. The array access by index i can cause array
out-of-bounds.
Fix this bug by checking *nplanes against the array size.
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
---
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
index 641f533c417f..cae34cc7c807 100644
--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
+++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
@@ -753,6 +753,13 @@ int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers,
}
if (*nplanes) {
+ if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
+ if (*nplanes != q_data->fmt->num_planes)
+ return -EINVAL;
+ else
+ if (*nplanes != 1)
+ return -EINVAL;
+
for (i = 0; i < *nplanes; i++) {
if (sizes[i] < q_data->sizeimage[i])
return -EINVAL;
--
2.25.1Hi,
Le mardi 28 mars 2023 à 10:09 +0000, Wei Chen a écrit :
> variable *nplanes is provided by user via system call argument. The
> possible value of q_data->fmt->num_planes is 1-3, while the value
> of *nplanes can be 1-8. The array access by index i can cause array
> out-of-bounds.
>
> Fix this bug by checking *nplanes against the array size.
>
> Signed-off-by: Wei Chen <harperchen1110@gmail.com>
> ---
> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
> index 641f533c417f..cae34cc7c807 100644
> --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
> +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
> @@ -753,6 +753,13 @@ int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers,
> }
>
> if (*nplanes) {
> + if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
> + if (*nplanes != q_data->fmt->num_planes)
> + return -EINVAL;
> + else
> + if (*nplanes != 1)
> + return -EINVAL;
> +
> for (i = 0; i < *nplanes; i++) {
> if (sizes[i] < q_data->sizeimage[i])
> return -EINVAL;
A bit of context, *nplanes is non zero only when called from VIDIOC_CREATE_BUFS.
I think this highlights a bigger problem around the format in
VIDIOC_CREATE_BUFS. The format should be validated through TRY_FMT in some ways,
notably to apply the HW required alignment, but also to avoid having to validate
that lower in the stack.
Nicolas
Hi Wei,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on media-tree/master]
[also build test WARNING on linus/master v6.3-rc4 next-20230328]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
base: git://linuxtv.org/media_tree.git master
patch link: https://lore.kernel.org/r/20230328100951.536955-1-harperchen1110%40gmail.com
patch subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
config: csky-randconfig-r013-20230327 (https://download.01.org/0day-ci/archive/20230329/202303290137.F9lOyCT4-lkp@intel.com/config)
compiler: csky-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
git checkout caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=csky olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=csky SHELL=/bin/bash drivers/media/platform/mediatek/vcodec/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303290137.F9lOyCT4-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from include/asm-generic/div64.h:27,
from ./arch/csky/include/generated/asm/div64.h:1,
from include/linux/math.h:6,
from include/linux/math64.h:6,
from include/linux/time.h:6,
from include/linux/videodev2.h:59,
from include/media/v4l2-event.h:16,
from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:8:
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c: In function 'vb2ops_vdec_queue_setup':
>> include/linux/compiler.h:56:26: warning: suggest explicit braces to avoid ambiguous 'else' [-Wdangling-else]
56 | #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
| ^
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:756:17: note: in expansion of macro 'if'
756 | if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
| ^~
vim +/else +56 include/linux/compiler.h
2bcd521a684cc9 Steven Rostedt 2008-11-21 50
2bcd521a684cc9 Steven Rostedt 2008-11-21 51 #ifdef CONFIG_PROFILE_ALL_BRANCHES
2bcd521a684cc9 Steven Rostedt 2008-11-21 52 /*
2bcd521a684cc9 Steven Rostedt 2008-11-21 53 * "Define 'is'", Bill Clinton
2bcd521a684cc9 Steven Rostedt 2008-11-21 54 * "Define 'if'", Steven Rostedt
2bcd521a684cc9 Steven Rostedt 2008-11-21 55 */
a15fd609ad53a6 Linus Torvalds 2019-03-20 @56 #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
a15fd609ad53a6 Linus Torvalds 2019-03-20 57
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
Hi Wei,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on media-tree/master]
[also build test WARNING on linus/master v6.3-rc4 next-20230328]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
base: git://linuxtv.org/media_tree.git master
patch link: https://lore.kernel.org/r/20230328100951.536955-1-harperchen1110%40gmail.com
patch subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
config: s390-randconfig-r044-20230327 (https://download.01.org/0day-ci/archive/20230329/202303290153.AP9Oe2GL-lkp@intel.com/config)
compiler: clang version 17.0.0 (https://github.com/llvm/llvm-project 67409911353323ca5edf2049ef0df54132fa1ca7)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install s390 cross compiling tool for clang build
# apt-get install binutils-s390x-linux-gnu
# https://github.com/intel-lab-lkp/linux/commit/caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
git checkout caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=s390 olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=s390 SHELL=/bin/bash drivers/media/platform/mediatek/vcodec/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303290153.AP9Oe2GL-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:9:
In file included from include/media/v4l2-mem2mem.h:16:
In file included from include/media/videobuf2-v4l2.h:16:
In file included from include/media/videobuf2-core.h:18:
In file included from include/linux/dma-buf.h:16:
In file included from include/linux/iosys-map.h:10:
In file included from include/linux/io.h:13:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __raw_readb(PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu'
#define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x))
^
include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16'
#define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
^
In file included from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:9:
In file included from include/media/v4l2-mem2mem.h:16:
In file included from include/media/videobuf2-v4l2.h:16:
In file included from include/media/videobuf2-core.h:18:
In file included from include/linux/dma-buf.h:16:
In file included from include/linux/iosys-map.h:10:
In file included from include/linux/io.h:13:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu'
#define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x))
^
include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32'
#define __swab32(x) (__u32)__builtin_bswap32((__u32)(x))
^
In file included from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:9:
In file included from include/media/v4l2-mem2mem.h:16:
In file included from include/media/videobuf2-v4l2.h:16:
In file included from include/media/videobuf2-core.h:18:
In file included from include/linux/dma-buf.h:16:
In file included from include/linux/iosys-map.h:10:
In file included from include/linux/io.h:13:
In file included from arch/s390/include/asm/io.h:75:
include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writeb(value, PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:692:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsb(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:700:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsw(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:708:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
readsl(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:717:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesb(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:726:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesw(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
include/asm-generic/io.h:735:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
writesl(PCI_IOBASE + addr, buffer, count);
~~~~~~~~~~ ^
>> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:759:3: warning: add explicit braces to avoid dangling else [-Wdangling-else]
else
^
13 warnings generated.
vim +759 drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
739
740 int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers,
741 unsigned int *nplanes, unsigned int sizes[],
742 struct device *alloc_devs[])
743 {
744 struct mtk_vcodec_ctx *ctx = vb2_get_drv_priv(vq);
745 struct mtk_q_data *q_data;
746 unsigned int i;
747
748 q_data = mtk_vdec_get_q_data(ctx, vq->type);
749
750 if (q_data == NULL) {
751 mtk_v4l2_err("vq->type=%d err\n", vq->type);
752 return -EINVAL;
753 }
754
755 if (*nplanes) {
756 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
757 if (*nplanes != q_data->fmt->num_planes)
758 return -EINVAL;
> 759 else
760 if (*nplanes != 1)
761 return -EINVAL;
762
763 for (i = 0; i < *nplanes; i++) {
764 if (sizes[i] < q_data->sizeimage[i])
765 return -EINVAL;
766 }
767 } else {
768 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
769 *nplanes = q_data->fmt->num_planes;
770 else
771 *nplanes = 1;
772
773 for (i = 0; i < *nplanes; i++)
774 sizes[i] = q_data->sizeimage[i];
775 }
776
777 mtk_v4l2_debug(1,
778 "[%d]\t type = %d, get %d plane(s), %d buffer(s) of size 0x%x 0x%x ",
779 ctx->id, vq->type, *nplanes, *nbuffers,
780 sizes[0], sizes[1]);
781
782 return 0;
783 }
784
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
Hi Wei,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on media-tree/master]
[also build test WARNING on linus/master v6.3-rc4 next-20230328]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
base: git://linuxtv.org/media_tree.git master
patch link: https://lore.kernel.org/r/20230328100951.536955-1-harperchen1110%40gmail.com
patch subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
config: riscv-allmodconfig (https://download.01.org/0day-ci/archive/20230328/202303282152.CXxK3RNH-lkp@intel.com/config)
compiler: riscv64-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142
git checkout caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=riscv olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=riscv SHELL=/bin/bash drivers/media/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202303282152.CXxK3RNH-lkp@intel.com/
All warnings (new ones prefixed by >>):
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c: In function 'vb2ops_vdec_queue_setup':
>> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:756:20: warning: suggest explicit braces to avoid ambiguous 'else' [-Wdangling-else]
756 | if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
| ^
vim +/else +756 drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
739
740 int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers,
741 unsigned int *nplanes, unsigned int sizes[],
742 struct device *alloc_devs[])
743 {
744 struct mtk_vcodec_ctx *ctx = vb2_get_drv_priv(vq);
745 struct mtk_q_data *q_data;
746 unsigned int i;
747
748 q_data = mtk_vdec_get_q_data(ctx, vq->type);
749
750 if (q_data == NULL) {
751 mtk_v4l2_err("vq->type=%d err\n", vq->type);
752 return -EINVAL;
753 }
754
755 if (*nplanes) {
> 756 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
757 if (*nplanes != q_data->fmt->num_planes)
758 return -EINVAL;
759 else
760 if (*nplanes != 1)
761 return -EINVAL;
762
763 for (i = 0; i < *nplanes; i++) {
764 if (sizes[i] < q_data->sizeimage[i])
765 return -EINVAL;
766 }
767 } else {
768 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
769 *nplanes = q_data->fmt->num_planes;
770 else
771 *nplanes = 1;
772
773 for (i = 0; i < *nplanes; i++)
774 sizes[i] = q_data->sizeimage[i];
775 }
776
777 mtk_v4l2_debug(1,
778 "[%d]\t type = %d, get %d plane(s), %d buffer(s) of size 0x%x 0x%x ",
779 ctx->id, vq->type, *nplanes, *nbuffers,
780 sizes[0], sizes[1]);
781
782 return 0;
783 }
784
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
© 2016 - 2026 Red Hat, Inc.