lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20170627055756.GX12407@valkosipuli.retiisi.org.uk>
Date:   Tue, 27 Jun 2017 08:57:57 +0300
From:   Sakari Ailus <sakari.ailus@....fi>
To:     "H. Nikolaus Schaller" <hns@...delico.com>
Cc:     Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>, s-anna@...com,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
        letux-kernel@...nphoenux.org
Subject: Re: [PATCH] media: omap3isp: handle NULL return of
 omap3isp_video_format_info() in ccdc_is_shiftable().

Hi Nikolaus,

On Tue, Jun 27, 2017 at 07:46:51AM +0200, H. Nikolaus Schaller wrote:
> Hi,
> 
> > Am 26.06.2017 um 22:12 schrieb Sakari Ailus <sakari.ailus@....fi>:
> > 
> > Hi Nikolaus,
> > 
> > On Mon, Jun 26, 2017 at 07:54:19PM +0200, H. Nikolaus Schaller wrote:
> >> If a camera module driver specifies a format that is not
> >> supported by omap3isp this ends in a NULL pointer
> >> dereference instead of a simple fail.
> > 
> > Has this happened in practice?
> 
> Yes. I wouldn't have noticed it otherwise.
> 
> It happens with a new ov965x driver just submitted for review.
> It seems to provide some format that the omap3isp does not understand.
> 
> I can send you a console stack log if needed.

No need to. I think indeed what was missed is that the code may come from
elsewhere than the omap3isp driver pads themselves where it already has been
validated. Adding a comment saying that wouldn't hurt IMO.

I think the following change should be probably made as well. Feel free to
merge to the same patch.

diff --git a/drivers/media/platform/omap3isp/ispccdc.c b/drivers/media/platform/omap3isp/ispccdc.c
index 7207558..71de993 100644
--- a/drivers/media/platform/omap3isp/ispccdc.c
+++ b/drivers/media/platform/omap3isp/ispccdc.c
@@ -1160,7 +1160,8 @@ static void ccdc_configure(struct isp_ccdc_device *ccdc)
 	fmt_src.which = V4L2_SUBDEV_FORMAT_ACTIVE;
 	if (!v4l2_subdev_call(sensor, pad, get_fmt, NULL, &fmt_src)) {
 		fmt_info = omap3isp_video_format_info(fmt_src.format.code);
-		depth_in = fmt_info->width;
+		if (fmt_info)
+			depth_in = fmt_info->width;
 	}
 
 	fmt_info = omap3isp_video_format_info(format->code);

> 
> > If it does, it is probably a driver bug ---
> > the formats on its pads should be recognised by the driver.
> 
> > 
> > WARN_ON() around the condition would be good to avoid silently ignoring such
> > issues.
> > 
> > I wonder what Laurent thinks.
> > 
> >> 
> >> Signed-off-by: H. Nikolaus Schaller <hns@...delico.com>
> >> ---
> >> drivers/media/platform/omap3isp/ispccdc.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >> 
> >> diff --git a/drivers/media/platform/omap3isp/ispccdc.c b/drivers/media/platform/omap3isp/ispccdc.c
> >> index 2fb755f20a6b..dcf16ee7c612 100644
> >> --- a/drivers/media/platform/omap3isp/ispccdc.c
> >> +++ b/drivers/media/platform/omap3isp/ispccdc.c
> >> @@ -2397,6 +2397,9 @@ static bool ccdc_is_shiftable(u32 in, u32 out, unsigned int additional_shift)
> >> 	in_info = omap3isp_video_format_info(in);
> >> 	out_info = omap3isp_video_format_info(out);
> >> 
> >> +	if (!in_info || !out_info)
> >> +		return false;
> >> +
> >> 	if ((in_info->flavor == 0) || (out_info->flavor == 0))
> >> 		return false;
> >> 

-- 
Regards,

Sakari Ailus
e-mail: sakari.ailus@....fi	XMPP: sailus@...iisi.org.uk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ