drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 +++++++ 1 file changed, 7 insertions(+)
variable *nplanes is provided by user via system call argument. The
possible value of q_data->fmt->num_planes is 1-3, while the value
of *nplanes can be 1-8. The array access by index i can cause array
out-of-bounds.
Fix this bug by checking *nplanes against the array size.
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
---
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
index 641f533c417f..cae34cc7c807 100644
--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
+++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c
@@ -753,6 +753,13 @@ int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers,
}
if (*nplanes) {
+ if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
+ if (*nplanes != q_data->fmt->num_planes)
+ return -EINVAL;
+ else
+ if (*nplanes != 1)
+ return -EINVAL;
+
for (i = 0; i < *nplanes; i++) {
if (sizes[i] < q_data->sizeimage[i])
return -EINVAL;
--
2.25.1
Hi, Le mardi 28 mars 2023 à 10:09 +0000, Wei Chen a écrit : > variable *nplanes is provided by user via system call argument. The > possible value of q_data->fmt->num_planes is 1-3, while the value > of *nplanes can be 1-8. The array access by index i can cause array > out-of-bounds. > > Fix this bug by checking *nplanes against the array size. > > Signed-off-by: Wei Chen <harperchen1110@gmail.com> > --- > drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c > index 641f533c417f..cae34cc7c807 100644 > --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c > +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c > @@ -753,6 +753,13 @@ int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers, > } > > if (*nplanes) { > + if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) > + if (*nplanes != q_data->fmt->num_planes) > + return -EINVAL; > + else > + if (*nplanes != 1) > + return -EINVAL; > + > for (i = 0; i < *nplanes; i++) { > if (sizes[i] < q_data->sizeimage[i]) > return -EINVAL; A bit of context, *nplanes is non zero only when called from VIDIOC_CREATE_BUFS. I think this highlights a bigger problem around the format in VIDIOC_CREATE_BUFS. The format should be validated through TRY_FMT in some ways, notably to apply the HW required alignment, but also to avoid having to validate that lower in the stack. Nicolas
Hi Wei, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on media-tree/master] [also build test WARNING on linus/master v6.3-rc4 next-20230328] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142 base: git://linuxtv.org/media_tree.git master patch link: https://lore.kernel.org/r/20230328100951.536955-1-harperchen1110%40gmail.com patch subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup config: csky-randconfig-r013-20230327 (https://download.01.org/0day-ci/archive/20230329/202303290137.F9lOyCT4-lkp@intel.com/config) compiler: csky-linux-gcc (GCC) 12.1.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142 git checkout caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=csky olddefconfig COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=csky SHELL=/bin/bash drivers/media/platform/mediatek/vcodec/ If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot <lkp@intel.com> | Link: https://lore.kernel.org/oe-kbuild-all/202303290137.F9lOyCT4-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from include/asm-generic/div64.h:27, from ./arch/csky/include/generated/asm/div64.h:1, from include/linux/math.h:6, from include/linux/math64.h:6, from include/linux/time.h:6, from include/linux/videodev2.h:59, from include/media/v4l2-event.h:16, from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:8: drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c: In function 'vb2ops_vdec_queue_setup': >> include/linux/compiler.h:56:26: warning: suggest explicit braces to avoid ambiguous 'else' [-Wdangling-else] 56 | #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) | ^ drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:756:17: note: in expansion of macro 'if' 756 | if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) | ^~ vim +/else +56 include/linux/compiler.h 2bcd521a684cc9 Steven Rostedt 2008-11-21 50 2bcd521a684cc9 Steven Rostedt 2008-11-21 51 #ifdef CONFIG_PROFILE_ALL_BRANCHES 2bcd521a684cc9 Steven Rostedt 2008-11-21 52 /* 2bcd521a684cc9 Steven Rostedt 2008-11-21 53 * "Define 'is'", Bill Clinton 2bcd521a684cc9 Steven Rostedt 2008-11-21 54 * "Define 'if'", Steven Rostedt 2bcd521a684cc9 Steven Rostedt 2008-11-21 55 */ a15fd609ad53a6 Linus Torvalds 2019-03-20 @56 #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) a15fd609ad53a6 Linus Torvalds 2019-03-20 57 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests
Hi Wei, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on media-tree/master] [also build test WARNING on linus/master v6.3-rc4 next-20230328] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142 base: git://linuxtv.org/media_tree.git master patch link: https://lore.kernel.org/r/20230328100951.536955-1-harperchen1110%40gmail.com patch subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup config: s390-randconfig-r044-20230327 (https://download.01.org/0day-ci/archive/20230329/202303290153.AP9Oe2GL-lkp@intel.com/config) compiler: clang version 17.0.0 (https://github.com/llvm/llvm-project 67409911353323ca5edf2049ef0df54132fa1ca7) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # install s390 cross compiling tool for clang build # apt-get install binutils-s390x-linux-gnu # https://github.com/intel-lab-lkp/linux/commit/caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142 git checkout caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=s390 olddefconfig COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=s390 SHELL=/bin/bash drivers/media/platform/mediatek/vcodec/ If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot <lkp@intel.com> | Link: https://lore.kernel.org/oe-kbuild-all/202303290153.AP9Oe2GL-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:9: In file included from include/media/v4l2-mem2mem.h:16: In file included from include/media/videobuf2-v4l2.h:16: In file included from include/media/videobuf2-core.h:18: In file included from include/linux/dma-buf.h:16: In file included from include/linux/iosys-map.h:10: In file included from include/linux/io.h:13: In file included from arch/s390/include/asm/io.h:75: include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __raw_readb(PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu' #define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x)) ^ include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16' #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x)) ^ In file included from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:9: In file included from include/media/v4l2-mem2mem.h:16: In file included from include/media/videobuf2-v4l2.h:16: In file included from include/media/videobuf2-core.h:18: In file included from include/linux/dma-buf.h:16: In file included from include/linux/iosys-map.h:10: In file included from include/linux/io.h:13: In file included from arch/s390/include/asm/io.h:75: include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu' #define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x)) ^ include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32' #define __swab32(x) (__u32)__builtin_bswap32((__u32)(x)) ^ In file included from drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:9: In file included from include/media/v4l2-mem2mem.h:16: In file included from include/media/videobuf2-v4l2.h:16: In file included from include/media/videobuf2-core.h:18: In file included from include/linux/dma-buf.h:16: In file included from include/linux/iosys-map.h:10: In file included from include/linux/io.h:13: In file included from arch/s390/include/asm/io.h:75: include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writeb(value, PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:692:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] readsb(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:700:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] readsw(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:708:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] readsl(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:717:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] writesb(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:726:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] writesw(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ include/asm-generic/io.h:735:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] writesl(PCI_IOBASE + addr, buffer, count); ~~~~~~~~~~ ^ >> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:759:3: warning: add explicit braces to avoid dangling else [-Wdangling-else] else ^ 13 warnings generated. vim +759 drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c 739 740 int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers, 741 unsigned int *nplanes, unsigned int sizes[], 742 struct device *alloc_devs[]) 743 { 744 struct mtk_vcodec_ctx *ctx = vb2_get_drv_priv(vq); 745 struct mtk_q_data *q_data; 746 unsigned int i; 747 748 q_data = mtk_vdec_get_q_data(ctx, vq->type); 749 750 if (q_data == NULL) { 751 mtk_v4l2_err("vq->type=%d err\n", vq->type); 752 return -EINVAL; 753 } 754 755 if (*nplanes) { 756 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) 757 if (*nplanes != q_data->fmt->num_planes) 758 return -EINVAL; > 759 else 760 if (*nplanes != 1) 761 return -EINVAL; 762 763 for (i = 0; i < *nplanes; i++) { 764 if (sizes[i] < q_data->sizeimage[i]) 765 return -EINVAL; 766 } 767 } else { 768 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) 769 *nplanes = q_data->fmt->num_planes; 770 else 771 *nplanes = 1; 772 773 for (i = 0; i < *nplanes; i++) 774 sizes[i] = q_data->sizeimage[i]; 775 } 776 777 mtk_v4l2_debug(1, 778 "[%d]\t type = %d, get %d plane(s), %d buffer(s) of size 0x%x 0x%x ", 779 ctx->id, vq->type, *nplanes, *nbuffers, 780 sizes[0], sizes[1]); 781 782 return 0; 783 } 784 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests
Hi Wei, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on media-tree/master] [also build test WARNING on linus/master v6.3-rc4 next-20230328] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142 base: git://linuxtv.org/media_tree.git master patch link: https://lore.kernel.org/r/20230328100951.536955-1-harperchen1110%40gmail.com patch subject: [PATCH] media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup config: riscv-allmodconfig (https://download.01.org/0day-ci/archive/20230328/202303282152.CXxK3RNH-lkp@intel.com/config) compiler: riscv64-linux-gcc (GCC) 12.1.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Wei-Chen/media-mediatek-vcodec-Fix-potential-array-out-of-bounds-in-decoder-queue_setup/20230328-181142 git checkout caa43627286fb5f3b0b3af7e01e1baeca5c5f9cc # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=riscv olddefconfig COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=riscv SHELL=/bin/bash drivers/media/ If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot <lkp@intel.com> | Link: https://lore.kernel.org/oe-kbuild-all/202303282152.CXxK3RNH-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c: In function 'vb2ops_vdec_queue_setup': >> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c:756:20: warning: suggest explicit braces to avoid ambiguous 'else' [-Wdangling-else] 756 | if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) | ^ vim +/else +756 drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c 739 740 int vb2ops_vdec_queue_setup(struct vb2_queue *vq, unsigned int *nbuffers, 741 unsigned int *nplanes, unsigned int sizes[], 742 struct device *alloc_devs[]) 743 { 744 struct mtk_vcodec_ctx *ctx = vb2_get_drv_priv(vq); 745 struct mtk_q_data *q_data; 746 unsigned int i; 747 748 q_data = mtk_vdec_get_q_data(ctx, vq->type); 749 750 if (q_data == NULL) { 751 mtk_v4l2_err("vq->type=%d err\n", vq->type); 752 return -EINVAL; 753 } 754 755 if (*nplanes) { > 756 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) 757 if (*nplanes != q_data->fmt->num_planes) 758 return -EINVAL; 759 else 760 if (*nplanes != 1) 761 return -EINVAL; 762 763 for (i = 0; i < *nplanes; i++) { 764 if (sizes[i] < q_data->sizeimage[i]) 765 return -EINVAL; 766 } 767 } else { 768 if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) 769 *nplanes = q_data->fmt->num_planes; 770 else 771 *nplanes = 1; 772 773 for (i = 0; i < *nplanes; i++) 774 sizes[i] = q_data->sizeimage[i]; 775 } 776 777 mtk_v4l2_debug(1, 778 "[%d]\t type = %d, get %d plane(s), %d buffer(s) of size 0x%x 0x%x ", 779 ctx->id, vq->type, *nplanes, *nbuffers, 780 sizes[0], sizes[1]); 781 782 return 0; 783 } 784 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests
© 2016 - 2024 Red Hat, Inc.