| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230726165742.614248-1-nfraprado@collabora.com>
Date: Wed, 26 Jul 2023 12:57:39 -0400
From: Nícolas F. R. A. Prado
<nfraprado@...labora.com>
To: Hans Verkuil <hverkuil-cisco@...all.nl>
Cc: kernel@...labora.com,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@...labora.com>,
Nícolas F. R. A. Prado
<nfraprado@...labora.com>,
Andrew-CT Chen <andrew-ct.chen@...iatek.com>,
Matthias Brugger <matthias.bgg@...il.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Tiffany Lin <tiffany.lin@...iatek.com>,
Yunfei Dong <yunfei.dong@...iatek.com>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-media@...r.kernel.org, linux-mediatek@...ts.infradead.org
Subject: [PATCH v2] media: mediatek: vcodec: Consider vdecsys presence in reg range check
Commit fe8a33978383 ("media: mediatek: vcodec: Read HW active status
from syscon") allowed the driver to read the VDEC_SYS io space from a
syscon instead of from the reg property when reg-names are supplied.
However as part of that change, a smatch warning was introduced:
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c:142 mtk_vcodec_get_reg_bases() error: buffer overflow 'mtk_dec_reg_names' 11 <= 11
With a correct Devicetree, that is, one that follows the dt-binding, it
wouldn't be possible to trigger such a buffer overflow. Even so, update
the range validation of the reg property, so that the smatch warning is
fixed and if an incorrect Devicetree is ever supplied the code errors
out instead of causing memory corruption.
Reported-by: Hans Verkuil <hverkuil-cisco@...all.nl>
Closes: https://lore.kernel.org/all/b5fd2dff-14a5-3ad8-9698-d1a50f4516fa@xs4all.nl
Fixes: fe8a33978383 ("media: mediatek: vcodec: Read HW active status from syscon")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@...labora.com>
---
Changes in v2:
- Tidied logic by moving number of maximum regs to separate variable
- Rebased on top of Hans' for-v6.6i branch
drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
index 6cf5f88a3a8e..f5b8c37f32f5 100644
--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
+++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
@@ -96,6 +96,7 @@ static int mtk_vcodec_get_reg_bases(struct mtk_vcodec_dev *dev)
int reg_num, i;
struct resource *res;
bool has_vdecsys_reg;
+ int num_max_vdec_regs;
static const char * const mtk_dec_reg_names[] = {
"misc",
"ld",
@@ -122,10 +123,13 @@ static int mtk_vcodec_get_reg_bases(struct mtk_vcodec_dev *dev)
else
has_vdecsys_reg = true;
+ num_max_vdec_regs = has_vdecsys_reg ? NUM_MAX_VDEC_REG_BASE :
+ ARRAY_SIZE(mtk_dec_reg_names);
+
/* Sizeof(u32) * 4 bytes for each register base. */
reg_num = of_property_count_elems_of_size(pdev->dev.of_node, "reg",
sizeof(u32) * 4);
- if (reg_num <= 0 || reg_num > NUM_MAX_VDEC_REG_BASE) {
+ if (reg_num <= 0 || reg_num > num_max_vdec_regs) {
dev_err(&pdev->dev, "Invalid register property size: %d\n", reg_num);
return -EINVAL;
}
--
2.41.0
Powered by blists - more mailing lists