| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5a7c6b24-03f1-dd33-5911-ce046ee140f1@collabora.com>
Date: Wed, 26 Jul 2023 09:01:27 +0200
From: AngeloGioacchino Del Regno
<angelogioacchino.delregno@...labora.com>
To: Nícolas F. R. A. Prado
<nfraprado@...labora.com>, Hans Verkuil <hverkuil-cisco@...all.nl>
Cc: kernel@...labora.com, Andrew-CT Chen <andrew-ct.chen@...iatek.com>,
Matthias Brugger <matthias.bgg@...il.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Tiffany Lin <tiffany.lin@...iatek.com>,
Yunfei Dong <yunfei.dong@...iatek.com>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-media@...r.kernel.org, linux-mediatek@...ts.infradead.org
Subject: Re: [PATCH] media: mediatek: vcodec: Consider vdecsys presence in reg
range check
Il 25/07/23 22:40, Nícolas F. R. A. Prado ha scritto:
> Commit fe8a33978383 ("media: mediatek: vcodec: Read HW active status
> from syscon") allowed the driver to read the VDEC_SYS io space from a
> syscon instead of from the reg property when reg-names are supplied.
> However as part of that change, a smatch warning was introduced:
>
> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c:142 mtk_vcodec_get_reg_bases() error: buffer overflow 'mtk_dec_reg_names' 11 <= 11
>
> With a correct Devicetree, that is, one that follows the dt-binding, it
> wouldn't be possible to trigger such a buffer overflow. Even so, update
> the range validation of the reg property, so that the smatch warning is
> fixed and if an incorrect Devicetree is ever supplied the code errors
> out instead of causing memory corruption.
>
> Reported-by: Hans Verkuil <hverkuil-cisco@...all.nl>
> Closes: https://lore.kernel.org/all/b5fd2dff-14a5-3ad8-9698-d1a50f4516fa@xs4all.nl
> Fixes: fe8a33978383 ("media: mediatek: vcodec: Read HW active status from syscon")
> Signed-off-by: Nícolas F. R. A. Prado <nfraprado@...labora.com>
>
> ---
>
> drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
> index 742b6903d030..cd62b3f68072 100644
> --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
> +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
> @@ -124,7 +124,8 @@ static int mtk_vcodec_get_reg_bases(struct mtk_vcodec_dev *dev)
> /* Sizeof(u32) * 4 bytes for each register base. */
> reg_num = of_property_count_elems_of_size(pdev->dev.of_node, "reg",
> sizeof(u32) * 4);
> - if (reg_num <= 0 || reg_num > NUM_MAX_VDEC_REG_BASE) {
> + if (reg_num <= 0 || reg_num > NUM_MAX_VDEC_REG_BASE ||
You could also simplify this like
int num_max_vdec_regs;
....
num_max_vdec_regs = no_vdecsys_reg ?
ARRAY_SIZE(mtk_dec_reg_names) : NUM_MAX_VDEC_REG_BASE;
if (reg_num <= 0 || reg_num > num_max_vdec_regs) ....
I'd go for the proposed solution, as it looks better in my eyes, but it's
ultimately your choice and probably just a personal preference.
That said, if you want to keep this commit as it is, you still get my
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>
> + (!has_vdecsys_reg && reg_num > NUM_MAX_VDEC_REG_BASE - 1)) {
> dev_err(&pdev->dev, "Invalid register property size: %d\n", reg_num);
> return -EINVAL;
> }
Powered by blists - more mailing lists