| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Jun 2017 08:57:57 +0300
From: Sakari Ailus <sakari.ailus@....fi>
To: "H. Nikolaus Schaller" <hns@...delico.com>
Cc: Laurent Pinchart <laurent.pinchart@...asonboard.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>, s-anna@...com,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
letux-kernel@...nphoenux.org
Subject: Re: [PATCH] media: omap3isp: handle NULL return of
omap3isp_video_format_info() in ccdc_is_shiftable().
Hi Nikolaus,
On Tue, Jun 27, 2017 at 07:46:51AM +0200, H. Nikolaus Schaller wrote:
> Hi,
>
> > Am 26.06.2017 um 22:12 schrieb Sakari Ailus <sakari.ailus@....fi>:
> >
> > Hi Nikolaus,
> >
> > On Mon, Jun 26, 2017 at 07:54:19PM +0200, H. Nikolaus Schaller wrote:
> >> If a camera module driver specifies a format that is not
> >> supported by omap3isp this ends in a NULL pointer
> >> dereference instead of a simple fail.
> >
> > Has this happened in practice?
>
> Yes. I wouldn't have noticed it otherwise.
>
> It happens with a new ov965x driver just submitted for review.
> It seems to provide some format that the omap3isp does not understand.
>
> I can send you a console stack log if needed.
No need to. I think indeed what was missed is that the code may come from
elsewhere than the omap3isp driver pads themselves where it already has been
validated. Adding a comment saying that wouldn't hurt IMO.
I think the following change should be probably made as well. Feel free to
merge to the same patch.
diff --git a/drivers/media/platform/omap3isp/ispccdc.c b/drivers/media/platform/omap3isp/ispccdc.c
index 7207558..71de993 100644
--- a/drivers/media/platform/omap3isp/ispccdc.c
+++ b/drivers/media/platform/omap3isp/ispccdc.c
@@ -1160,7 +1160,8 @@ static void ccdc_configure(struct isp_ccdc_device *ccdc)
fmt_src.which = V4L2_SUBDEV_FORMAT_ACTIVE;
if (!v4l2_subdev_call(sensor, pad, get_fmt, NULL, &fmt_src)) {
fmt_info = omap3isp_video_format_info(fmt_src.format.code);
- depth_in = fmt_info->width;
+ if (fmt_info)
+ depth_in = fmt_info->width;
}
fmt_info = omap3isp_video_format_info(format->code);
>
> > If it does, it is probably a driver bug ---
> > the formats on its pads should be recognised by the driver.
>
> >
> > WARN_ON() around the condition would be good to avoid silently ignoring such
> > issues.
> >
> > I wonder what Laurent thinks.
> >
> >>
> >> Signed-off-by: H. Nikolaus Schaller <hns@...delico.com>
> >> ---
> >> drivers/media/platform/omap3isp/ispccdc.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/drivers/media/platform/omap3isp/ispccdc.c b/drivers/media/platform/omap3isp/ispccdc.c
> >> index 2fb755f20a6b..dcf16ee7c612 100644
> >> --- a/drivers/media/platform/omap3isp/ispccdc.c
> >> +++ b/drivers/media/platform/omap3isp/ispccdc.c
> >> @@ -2397,6 +2397,9 @@ static bool ccdc_is_shiftable(u32 in, u32 out, unsigned int additional_shift)
> >> in_info = omap3isp_video_format_info(in);
> >> out_info = omap3isp_video_format_info(out);
> >>
> >> + if (!in_info || !out_info)
> >> + return false;
> >> +
> >> if ((in_info->flavor == 0) || (out_info->flavor == 0))
> >> return false;
> >>
--
Regards,
Sakari Ailus
e-mail: sakari.ailus@....fi XMPP: sailus@...iisi.org.uk
Powered by blists - more mailing lists