| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Jan 2022 10:16:37 +0100
From: Hans Verkuil <hverkuil-cisco@...all.nl>
To: Zhou Qingyang <zhou1615@....edu>,
Neil Armstrong <narmstrong@...libre.com>
Cc: kjlu@....edu, Mauro Carvalho Chehab <mchehab@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Kevin Hilman <khilman@...libre.com>,
Jerome Brunet <jbrunet@...libre.com>,
Martin Blumenstingl <martin.blumenstingl@...glemail.com>,
Maxime Jourdan <mjourdan@...libre.com>,
linux-media@...r.kernel.org, linux-amlogic@...ts.infradead.org,
linux-staging@...ts.linux.dev,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] media: meson: vdec: Fix a NULL pointer dereference in
amvdec_add_ts()
Zhou Qingyang, this is exactly the patch Neil wrote, except you just stuck your
name on it. Not nice.
Neil, can you post your patch with your own Signed-off-by, then I'll take that one.
Regards,
Hans
On 15/12/2021 04:35, Zhou Qingyang wrote:
> In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> to a NULL pointer dereference on failure of kzalloc().
>
> Fix this bug by adding a NULL check of new_ts.
>
> This bug was found by a static analyzer[1].
>
> Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> Signed-off-by: Zhou Qingyang <zhou1615@....edu>
> ---
>
> [1] The analysis employs differential checking to identify inconsistent
> security operations (e.g., checks or kfrees) between two code paths and
> confirms that the inconsistent operations are not recovered in the
> current function or the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Changes in v3:
> - Change the description of patch
> - Turn the return type from 'void' to 'int'
> - Check the return value in the caller 'esparser_queue()'
>
> Changes in v2:
> - Delete dev_err() message
>
> drivers/staging/media/meson/vdec/esparser.c | 7 ++++++-
> drivers/staging/media/meson/vdec/vdec_helpers.c | 8 ++++++--
> drivers/staging/media/meson/vdec/vdec_helpers.h | 4 ++--
> 3 files changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
> index db7022707ff8..095100a50da8 100644
> --- a/drivers/staging/media/meson/vdec/esparser.c
> +++ b/drivers/staging/media/meson/vdec/esparser.c
> @@ -328,7 +328,12 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
>
> offset = esparser_get_offset(sess);
>
> - amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> + ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> + if (!ret) {
> + v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
> + return ret;
> + }
> +
> dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
> vb->timestamp, payload_size, offset, vbuf->flags);
>
> diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
> index b9125c295d1d..06fd66539797 100644
> --- a/drivers/staging/media/meson/vdec/vdec_helpers.c
> +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
> @@ -227,13 +227,16 @@ int amvdec_set_canvases(struct amvdec_session *sess,
> }
> EXPORT_SYMBOL_GPL(amvdec_set_canvases);
>
> -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> - struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> + struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> {
> struct amvdec_timestamp *new_ts;
> unsigned long flags;
>
> new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
> + if (!new_ts)
> + return -ENOMEM;
> +
> new_ts->ts = ts;
> new_ts->tc = tc;
> new_ts->offset = offset;
> @@ -242,6 +245,7 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> spin_lock_irqsave(&sess->ts_spinlock, flags);
> list_add_tail(&new_ts->list, &sess->timestamps);
> spin_unlock_irqrestore(&sess->ts_spinlock, flags);
> + return 0;
> }
> EXPORT_SYMBOL_GPL(amvdec_add_ts);
>
> diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
> index 88137d15aa3a..4bf3e61d081b 100644
> --- a/drivers/staging/media/meson/vdec/vdec_helpers.h
> +++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
> @@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
> * @offset: offset in the VIFIFO where the associated packet was written
> * @flags: the vb2_v4l2_buffer flags
> */
> -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> - struct v4l2_timecode tc, u32 offset, u32 flags);
> +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> + struct v4l2_timecode tc, u32 offset, u32 flags);
> void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
>
> /**
Powered by blists - more mailing lists