lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5a7c6b24-03f1-dd33-5911-ce046ee140f1@collabora.com>
Date:   Wed, 26 Jul 2023 09:01:27 +0200
From:   AngeloGioacchino Del Regno 
        <angelogioacchino.delregno@...labora.com>
To:     Nícolas F. R. A. Prado 
        <nfraprado@...labora.com>, Hans Verkuil <hverkuil-cisco@...all.nl>
Cc:     kernel@...labora.com, Andrew-CT Chen <andrew-ct.chen@...iatek.com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Tiffany Lin <tiffany.lin@...iatek.com>,
        Yunfei Dong <yunfei.dong@...iatek.com>,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
        linux-media@...r.kernel.org, linux-mediatek@...ts.infradead.org
Subject: Re: [PATCH] media: mediatek: vcodec: Consider vdecsys presence in reg
 range check

Il 25/07/23 22:40, Nícolas F. R. A. Prado ha scritto:
> Commit fe8a33978383 ("media: mediatek: vcodec: Read HW active status
> from syscon") allowed the driver to read the VDEC_SYS io space from a
> syscon instead of from the reg property when reg-names are supplied.
> However as part of that change, a smatch warning was introduced:
> 
> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c:142 mtk_vcodec_get_reg_bases() error: buffer overflow 'mtk_dec_reg_names' 11 <= 11
> 
> With a correct Devicetree, that is, one that follows the dt-binding, it
> wouldn't be possible to trigger such a buffer overflow. Even so, update
> the range validation of the reg property, so that the smatch warning is
> fixed and if an incorrect Devicetree is ever supplied the code errors
> out instead of causing memory corruption.
> 
> Reported-by: Hans Verkuil <hverkuil-cisco@...all.nl>
> Closes: https://lore.kernel.org/all/b5fd2dff-14a5-3ad8-9698-d1a50f4516fa@xs4all.nl
> Fixes: fe8a33978383 ("media: mediatek: vcodec: Read HW active status from syscon")
> Signed-off-by: Nícolas F. R. A. Prado <nfraprado@...labora.com>
> 
> ---
> 
>   drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
> index 742b6903d030..cd62b3f68072 100644
> --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
> +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
> @@ -124,7 +124,8 @@ static int mtk_vcodec_get_reg_bases(struct mtk_vcodec_dev *dev)
>   	/* Sizeof(u32) * 4 bytes for each register base. */
>   	reg_num = of_property_count_elems_of_size(pdev->dev.of_node, "reg",
>   						  sizeof(u32) * 4);
> -	if (reg_num <= 0 || reg_num > NUM_MAX_VDEC_REG_BASE) {
> +	if (reg_num <= 0 || reg_num > NUM_MAX_VDEC_REG_BASE ||

You could also simplify this like

int num_max_vdec_regs;

....

num_max_vdec_regs = no_vdecsys_reg ?
		    ARRAY_SIZE(mtk_dec_reg_names) : NUM_MAX_VDEC_REG_BASE;

if (reg_num <= 0 || reg_num > num_max_vdec_regs) ....

I'd go for the proposed solution, as it looks better in my eyes, but it's
ultimately your choice and probably just a personal preference.

That said, if you want to keep this commit as it is, you still get my

Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>

> +	    (!has_vdecsys_reg && reg_num > NUM_MAX_VDEC_REG_BASE - 1)) {
>   		dev_err(&pdev->dev, "Invalid register property size: %d\n", reg_num);
>   		return -EINVAL;
>   	}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ