From nobody Fri Dec 19 17:18:17 2025 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACE94265CCB; Mon, 19 May 2025 07:12:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747638781; cv=none; b=o8gfRnjnglRyhMctHFO7X+hiF4NPciuwwrG1DxRG5M6ZcxkRJkNVhxi0+Nt/85rSP9bFF7Ao0Lzc/kgoEZgJAzKsXlzmRfG25OeqbbSaiumCOE/RvtmIDiy2OMotPxf7klD9pAkx1WfA8xk5cvlHDvhTZ8uy7ONTkqL5w0Pvj4I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747638781; c=relaxed/simple; bh=PnwZA14QOCUUCEk8Bt+W2UUBUbI+zIvl3biSK65U+Zs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=cY7ofqV9ZLjvNKB/LU2HwXYiuuBRIyqCqB3+zBrsHlOlOh66kUr25dOwBfjPLktnWVdnO+2f6cHClywAe/WjimWqxXRUHacOEFJ9UTqBaAhVVIz4qI+Yh1UjfmYOkj+d+F1GW/8xpjYQs/DFJD1odwIFEAvCBlKrOJ31Z4FYlV8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=paSDLiA1; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="paSDLiA1" Received: from pps.filterd (m0279868.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54J4EtLO014120; Mon, 19 May 2025 07:12:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= skTbQItYDY2Q4CNqdshM54G2jZGaMdhFzPIQjwKFYfQ=; b=paSDLiA1Ie+LpagT +IZ/NmF742qVLthUKI3UYYEZbfJ/Kh9Vuzv9jomb14dg7+tA0Da3GXjiv17Mxphp OD4zPwD0H/gkE2QzW/snTn2N4xBpyNF5cnhaJ0Kat7WC6JMvs4+VrvjAQOSVIP/C 2OOqaGvNrXMpzGV4MVs/sFORIs7qHD4N4BfHlvXiUwE5xbpl99BTsgtDNNB/7wE2 IMxcXllvkk8Bm/6rz8p0YPV0ugtVtVn99qJ7yfwqYAEycNcyCJXhlgV9Y8R5G+XL bwlVa00Txj+Y2+VS0Na1g18w74xHgLTsENmY+4Z71kVzLuKMzdFpPdZhxrIOi8d8 dGjwug== Received: from nalasppmta04.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 46qwenggd8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 May 2025 07:12:52 +0000 (GMT) Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA04.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 54J7CkGA010318 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 May 2025 07:12:46 GMT Received: from hu-dikshita-hyd.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Mon, 19 May 2025 00:12:43 -0700 From: Dikshita Agarwal Date: Mon, 19 May 2025 12:42:22 +0530 Subject: [PATCH v4 2/2] media: venus: Fix OOB read due to missing payload bound check Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20250519-venus-fixes-v4-2-3ae91d81443d@quicinc.com> References: <20250519-venus-fixes-v4-0-3ae91d81443d@quicinc.com> In-Reply-To: <20250519-venus-fixes-v4-0-3ae91d81443d@quicinc.com> To: Vikash Garodia , Bryan O'Donoghue , Mauro Carvalho Chehab , Hans Verkuil CC: , , , Dikshita Agarwal , Vedang Nagar X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1747638757; l=6532; i=quic_dikshita@quicinc.com; s=20240917; h=from:subject:message-id; bh=0GpUI7sBAeWUP4zXPEcTyiTK22HXss2bkBm09XyHFps=; b=6SX8yYTlF+XJiEhQVlmEgbezDnE5jxKtUa7Gdd3u2ddN/1EfQwmzkufqJRhK5uz8qjuBlziWn tC962cQGGQ2AtILse18pttYYDEPRjph7ACFO0fj0VNGUc3+ZfHrLjW0 X-Developer-Key: i=quic_dikshita@quicinc.com; a=ed25519; pk=EEvKY6Ar1OI5SWf44FJ1Ebo1KuQEVbbf5UNPO+UHVhM= X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: XfY90tPCd7mQwBaDvdGDY2rlQHeuvox4 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTE5MDA2NiBTYWx0ZWRfXx3IYMaFM9mDK sqXBx5qNzB2rPbIsuUD7S0doJgGZfGMUX8UsoKb1uzJw0NwfT4S839bHYsTx9raJyluPiJ+xwr5 0nBAAkpvlHGo7pTX4icHxfybjfav0KhRlryN7VvgZct/szStunTFDVesGD1BkMSvT7zw71sdQ+x +AJPyE6hfHXs2WIWjDQfVDzG9Eggs2tVP5UJpf6RYwC0RCGLEstTrF6XN+D+rWgRllmNybEx7h7 odCD0/UWeGYROPTi9ncmZO0gCd3r3PdHghe8nrKe0gs9iNcR0Qm0zRsxUKxpvKydq7lxQ6FGvE6 0bcTQEdicMSHTHEe7Dl3CnMlm37rWdXsaOAO/RW1u/VZYRc76KBGLFAmdHzRVJLwmMuIPjknD2O swLdNuBIFmXC/4FX5umhYapI4RZmvlN7RleeibCSzxyuXQKAttFR5P+5zIRWzAivDInljcjh X-Authority-Analysis: v=2.4 cv=Wd8Ma1hX c=1 sm=1 tr=0 ts=682ad9f5 cx=c_pps a=ouPCqIW2jiPt+lZRy3xVPw==:117 a=ouPCqIW2jiPt+lZRy3xVPw==:17 a=GEpy-HfZoHoA:10 a=IkcTkHD0fZMA:10 a=dt9VzEwgFbYA:10 a=COk6AnOGAAAA:8 a=KKAkSRfTAAAA:8 a=czAQvarDjluRZCkWtMUA:9 a=QEXdDO2ut3YA:10 a=TjNXssC_j7lpFel5tvFf:22 a=cvBusfyB2V15izCimMoJ:22 X-Proofpoint-ORIG-GUID: XfY90tPCd7mQwBaDvdGDY2rlQHeuvox4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-19_02,2025-05-16_03,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxscore=0 priorityscore=1501 suspectscore=0 spamscore=0 clxscore=1015 mlxlogscore=999 impostorscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 adultscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2505070000 definitions=main-2505190066 From: Vedang Nagar Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed. Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed. This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior. Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interfac= e (HFI)") Signed-off-by: Vedang Nagar Reviewed-by: Vikash Garodia Reviewed-by: Bryan O'Donoghue Co-developed-by: Dikshita Agarwal Signed-off-by: Dikshita Agarwal --- drivers/media/platform/qcom/venus/hfi_msgs.c | 83 +++++++++++++++++++-----= ---- 1 file changed, 58 insertions(+), 25 deletions(-) diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/p= latform/qcom/venus/hfi_msgs.c index 0a041b4db9efc549621de07dd13b4a3a37a70d11..cf0d97cbc4631f907faf255a338= ceca673eaab2b 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -33,8 +33,9 @@ static void event_seq_changed(struct venus_core *core, st= ruct venus_inst *inst, struct hfi_buffer_requirements *bufreq; struct hfi_extradata_input_crop *crop; struct hfi_dpb_counts *dpb_count; + u32 ptype, rem_bytes; + u32 size_read =3D 0; u8 *data_ptr; - u32 ptype; =20 inst->error =3D HFI_ERR_NONE; =20 @@ -44,86 +45,118 @@ static void event_seq_changed(struct venus_core *core,= struct venus_inst *inst, break; default: inst->error =3D HFI_ERR_SESSION_INVALID_PARAMETER; - goto done; + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; } =20 event.event_type =3D pkt->event_data1; =20 num_properties_changed =3D pkt->event_data2; - if (!num_properties_changed) { - inst->error =3D HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; - goto done; - } + if (!num_properties_changed) + goto error; =20 data_ptr =3D (u8 *)&pkt->ext_event_data[0]; + rem_bytes =3D pkt->shdr.hdr.size - sizeof(*pkt); + do { + if (rem_bytes < sizeof(u32)) + goto error; ptype =3D *((u32 *)data_ptr); + + data_ptr +=3D sizeof(u32); + rem_bytes -=3D sizeof(u32); + switch (ptype) { case HFI_PROPERTY_PARAM_FRAME_SIZE: - data_ptr +=3D sizeof(u32); + if (rem_bytes < sizeof(struct hfi_framesize)) + goto error; + frame_sz =3D (struct hfi_framesize *)data_ptr; event.width =3D frame_sz->width; event.height =3D frame_sz->height; - data_ptr +=3D sizeof(*frame_sz); + size_read =3D sizeof(struct hfi_framesize); break; case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT: - data_ptr +=3D sizeof(u32); + if (rem_bytes < sizeof(struct hfi_profile_level)) + goto error; + profile_level =3D (struct hfi_profile_level *)data_ptr; event.profile =3D profile_level->profile; event.level =3D profile_level->level; - data_ptr +=3D sizeof(*profile_level); + size_read =3D sizeof(struct hfi_profile_level); break; case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH: - data_ptr +=3D sizeof(u32); + if (rem_bytes < sizeof(struct hfi_bit_depth)) + goto error; + pixel_depth =3D (struct hfi_bit_depth *)data_ptr; event.bit_depth =3D pixel_depth->bit_depth; - data_ptr +=3D sizeof(*pixel_depth); + size_read =3D sizeof(struct hfi_bit_depth); break; case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT: - data_ptr +=3D sizeof(u32); + if (rem_bytes < sizeof(struct hfi_pic_struct)) + goto error; + pic_struct =3D (struct hfi_pic_struct *)data_ptr; event.pic_struct =3D pic_struct->progressive_only; - data_ptr +=3D sizeof(*pic_struct); + size_read =3D sizeof(struct hfi_pic_struct); break; case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE: - data_ptr +=3D sizeof(u32); + if (rem_bytes < sizeof(struct hfi_colour_space)) + goto error; + colour_info =3D (struct hfi_colour_space *)data_ptr; event.colour_space =3D colour_info->colour_space; - data_ptr +=3D sizeof(*colour_info); + size_read =3D sizeof(struct hfi_colour_space); break; case HFI_PROPERTY_CONFIG_VDEC_ENTROPY: - data_ptr +=3D sizeof(u32); + if (rem_bytes < sizeof(u32)) + goto error; + event.entropy_mode =3D *(u32 *)data_ptr; - data_ptr +=3D sizeof(u32); + size_read =3D sizeof(u32); break; case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: - data_ptr +=3D sizeof(u32); + if (rem_bytes < sizeof(struct hfi_buffer_requirements)) + goto error; + bufreq =3D (struct hfi_buffer_requirements *)data_ptr; event.buf_count =3D hfi_bufreq_get_count_min(bufreq, ver); - data_ptr +=3D sizeof(*bufreq); + size_read =3D sizeof(struct hfi_buffer_requirements); break; case HFI_INDEX_EXTRADATA_INPUT_CROP: - data_ptr +=3D sizeof(u32); + if (rem_bytes < sizeof(struct hfi_extradata_input_crop)) + goto error; + crop =3D (struct hfi_extradata_input_crop *)data_ptr; event.input_crop.left =3D crop->left; event.input_crop.top =3D crop->top; event.input_crop.width =3D crop->width; event.input_crop.height =3D crop->height; - data_ptr +=3D sizeof(*crop); + size_read =3D sizeof(struct hfi_extradata_input_crop); break; case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS: - data_ptr +=3D sizeof(u32); + if (rem_bytes < sizeof(struct hfi_dpb_counts)) + goto error; + dpb_count =3D (struct hfi_dpb_counts *)data_ptr; event.buf_count =3D dpb_count->fw_min_cnt; - data_ptr +=3D sizeof(*dpb_count); + size_read =3D sizeof(struct hfi_dpb_counts); break; default: + size_read =3D 0; break; } + data_ptr +=3D size_read; + rem_bytes -=3D size_read; num_properties_changed--; } while (num_properties_changed > 0); =20 -done: + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + return; + +error: + inst->error =3D HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); } =20 --=20 2.34.1