| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4cfc1fe1-2fab-4256-9ce2-b4a0aad1069e@linaro.org> Date: Fri, 17 Jan 2025 10:25:18 +0000 From: Bryan O'Donoghue <bryan.odonoghue@...aro.org> To: Vedang Nagar <quic_vnagar@...cinc.com>, Stanimir Varbanov <stanimir.k.varbanov@...il.com>, Vikash Garodia <quic_vgarodia@...cinc.com>, Mauro Carvalho Chehab <mchehab@...nel.org> Cc: linux-media@...r.kernel.org, linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 1/2] media: venus: fix OOB read issue due to double read On 17/01/2025 08:39, Vedang Nagar wrote: > Below is the first read where dwords is being validated properly with the checks. > dwords = *rd_ptr >> 2; > > Whereas the same address is being read for the second time: > memcpy(pkt, rd_ptr, dwords << 2); > > For the second read the value is not validated which may get updated from the firmware > leading to incorrect memcpy into the packet and may lead to OOB read access while accessing > the packet. So you are saying that pkt points to memory that the firmware and host can simultaneously access. The question is - if the length value can change between one read and another read - how do you trust the _content_ of the packet ? Surely the right thing to do is to take a _copy_ of the entire frame and act on that frame exclusively on the host side ? If I receive a frame, and read length X. Then I need to re-read that frame because length may now by X+3. This implies the _data_ in the frame has changed. What exactly is the valid lifetime of this data from HFI RX interrupt ? --- bod
Powered by blists - more mailing lists