| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Jun 2023 12:42:37 +0200
From: Alain Volmat <alain.volmat@...s.st.com>
To: <yqsun1997@...il.com>
CC: <tiffany.lin@...iatek.com>, <andrew-ct.chen@...iatek.com>,
<yunfei.dong@...iatek.com>, <matthias.bgg@...il.com>,
<angelogioacchino.delregno@...labora.com>,
<linux-media@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<linux-arm-kernel@...ts.infradead.org>,
<linux-mediatek@...ts.infradead.org>, <499671216@...com>
Subject: Re: [PATCH] OOB read and write in mtk multiple places
Hi,
I had a look at some places where this macro MTK_VCODEC_MAX_PLANES
is being used, such as q_data->bytesperline etc.
This patch seems to be increasing the table size from 3 to 8 but,
if my understanding is correct doesn't solve the issue that
(taking the example you give in vidioc_venc_g_fmt) the table
bytesperline is accessed taking into account a num_planes values which
is unchecked if appropriate for this driver.
What are the 8 planes you are referring to ?
While increasing the table to 8 might also be necessary, it seems to me
that the real OOB access issue should be solved by checking the num of
planes value.
Regards,
Alain
On Tue, Jun 27, 2023 at 04:10:02PM +0800, yqsun1997@...il.com wrote:
> From: yqsun1997 <yqsun1997@...il.com>
>
> The num_planes max index is 8,
> but bytesperline and bytesperline in struct mtk_q_data,
> The max index is MTK_VCODEC_MAX_PLANES == 3,
> so will cause OOB read and write in multiple places.like vidioc_venc_g_fmt
> same as commit 8fbcf730
>
> Signed-off-by: yqsun1997 <yqsun1997@...il.com>
> ---
> drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h
> index 9acab54fd..c2c157675 100644
> --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h
> +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h
> @@ -22,7 +22,7 @@
> #define MTK_VCODEC_DEC_NAME "mtk-vcodec-dec"
> #define MTK_VCODEC_ENC_NAME "mtk-vcodec-enc"
>
> -#define MTK_VCODEC_MAX_PLANES 3
> +#define MTK_VCODEC_MAX_PLANES 8
> #define MTK_V4L2_BENCHMARK 0
> #define WAIT_INTR_TIMEOUT_MS 1000
> #define IS_VDEC_LAT_ARCH(hw_arch) ((hw_arch) >= MTK_VDEC_LAT_SINGLE_CORE)
> --
> 2.39.2
>
Powered by blists - more mailing lists