lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20210619094642.17779-1-dafna.hirschfeld@collabora.com>
Date:   Sat, 19 Jun 2021 12:46:42 +0300
From:   Dafna Hirschfeld <dafna.hirschfeld@...labora.com>
To:     linux-media@...r.kernel.org, linux-mediatek@...ts.infradead.org,
        linux-kernel@...r.kernel.org, bin.liu@...iatek.com,
        rick.chang@...iatek.com
Cc:     dafna.hirschfeld@...labora.com, hverkuil@...all.nl,
        kernel@...labora.com, dafna3@...il.com, mchehab@...nel.org,
        tfiga@...omium.org, matthias.bgg@...il.com,
        enric.balletbo@...labora.com
Subject: [PATCH] media: mtk-jpeg: fix setting plane paylod

In mtk_jpeg_buf_prepare, in case the format is V4L2_PIX_FMT_JPEG,
then the payload of the vb2_buffer planes can be overwritten
only if 'ctx->enable_exif' is true, in that case, the driver is
a jpeg encoder and the payload is determined by the driver.

If 'ctx->enable_exif' is not set and the format is V4L2_PIX_FMT_JPEG
then the payload might came from userspace (in case of a decoder)
and should not be overwritten by the driver.

In addition, the cb 'queue_setup' should add the MTK_JPEG_MAX_EXIF_SIZE
to the plane sizes in case the format is V4L2_PIX_FMT_JPEG
and ctx->enable_exif is set.

Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@...labora.com>
---
 .../media/platform/mtk-jpeg/mtk_jpeg_core.c   | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
index 88a23bce569d..397a27888a84 100644
--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
+++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
@@ -651,6 +651,7 @@ static int mtk_jpeg_queue_setup(struct vb2_queue *q,
 	struct mtk_jpeg_ctx *ctx = vb2_get_drv_priv(q);
 	struct mtk_jpeg_q_data *q_data = NULL;
 	struct mtk_jpeg_dev *jpeg = ctx->jpeg;
+	unsigned int exif_extra;
 	int i;
 
 	v4l2_dbg(1, debug, &jpeg->v4l2_dev, "(%d) buf_req count=%u\n",
@@ -660,18 +661,20 @@ static int mtk_jpeg_queue_setup(struct vb2_queue *q,
 	if (!q_data)
 		return -EINVAL;
 
+	exif_extra = ctx->enable_exif && V4L2_TYPE_IS_CAPTURE(q->type) ?
+		     MTK_JPEG_MAX_EXIF_SIZE : 0;
+
 	if (*num_planes) {
 		for (i = 0; i < *num_planes; i++)
-			if (sizes[i] < q_data->pix_mp.plane_fmt[i].sizeimage)
+			if (sizes[i] < q_data->pix_mp.plane_fmt[i].sizeimage + exif_extra)
 				return -EINVAL;
 		return 0;
 	}
 
 	*num_planes = q_data->fmt->colplanes;
 	for (i = 0; i < q_data->fmt->colplanes; i++) {
-		sizes[i] =  q_data->pix_mp.plane_fmt[i].sizeimage;
-		v4l2_dbg(1, debug, &jpeg->v4l2_dev, "sizeimage[%d]=%u\n",
-			 i, sizes[i]);
+		sizes[i] =  q_data->pix_mp.plane_fmt[i].sizeimage + exif_extra;
+		v4l2_dbg(1, debug, &jpeg->v4l2_dev, "sizes[%d]=%u\n", i, sizes[i]);
 	}
 
 	return 0;
@@ -690,12 +693,11 @@ static int mtk_jpeg_buf_prepare(struct vb2_buffer *vb)
 
 	for (i = 0; i < q_data->fmt->colplanes; i++) {
 		plane_fmt = q_data->pix_mp.plane_fmt[i];
-		if (ctx->enable_exif &&
-		    q_data->fmt->fourcc == V4L2_PIX_FMT_JPEG)
-			vb2_set_plane_payload(vb, i, plane_fmt.sizeimage +
+		if (q_data->fmt->fourcc != V4L2_PIX_FMT_JPEG)
+			vb2_set_plane_payload(vb, i, plane_fmt.sizeimage);
+		else if (ctx->enable_exif)
+			vb2_set_plane_payload(vb, i,  plane_fmt.sizeimage +
 					      MTK_JPEG_MAX_EXIF_SIZE);
-		else
-			vb2_set_plane_payload(vb, i,  plane_fmt.sizeimage);
 	}
 
 	return 0;
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ