| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <63fa1fdf-bb7b-4ef7-8b9b-93eb97eef937@quicinc.com>
Date: Wed, 29 Jan 2025 10:31:04 +0530
From: Vedang Nagar <quic_vnagar@...cinc.com>
To: Bryan O'Donoghue <bryan.odonoghue@...aro.org>,
Stanimir Varbanov
<stanimir.k.varbanov@...il.com>,
Vikash Garodia <quic_vgarodia@...cinc.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>
CC: <linux-media@...r.kernel.org>, <linux-arm-msm@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/2] media: venus: fix OOB access issue while reading
sequence changed events
Hi Bryan,
On 1/17/2025 4:02 PM, Bryan O'Donoghue wrote:
> On 17/01/2025 08:39, Vedang Nagar wrote:
>> Hi Bryan,
>>
>> On 1/6/2025 5:36 AM, Bryan O'Donoghue wrote:
>>> On 04/01/2025 05:41, Vedang Nagar wrote:
>>>> num_properties_changed is being read from the message queue but is
>>>> not validated. Value can be corrupted from the firmware leading to
>>>> OOB read access issues. Add fix to read the size of the packets as
>>>> well and crosscheck before reading from the packet.
>>>>
>>>> Signed-off-by: Vedang Nagar <quic_vnagar@...cinc.com>
>>> Please see Vikash's series on this.
>>>
>>> https://lore.kernel.org/linux-arm-msm/20241128-venus_oob_2-v2-2-483ae0a464b8@quicinc.com/
>>>
>>> it seems to have exactly the same patch title ?
>>>
>>> Is this patch supposed to be a follow-up to that patch ?
>>>
>>> https://lore.kernel.org/linux-arm-msm/20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com/
>>>
>>> Expecting to see a V3 of the above. If the intention is to supersede that patch or some of those patches you should make clear here.
>> No, this is a different series having OOB fixes similar to ones posted by Vikash.
>
> OK, please use a different patch title.
>
> I understand the motive to repeat the patch title but, its confusing. If you added some text to make the OOB more specific then it would be possible to differentiate between.
>
> "fix OOB access issue while reading sequence changed events 'in some location' || 'on some path'"
Got it, will update the patch title in the next version.
>
>
>>>
>>> On the switch statement I'd have two comments.
>>>
>>> #1 is everything really a " -= sizeof(u32)" ?
>> Yes, it's everytime " -= sizeof(u32) " since the first the first word read is ptype of size u32
>>> #2 if so then this ought to be factored out into a function
>>> => functional decomposition
>> Sure, will fix this with decomposition into functions.
>
> Is firmware sending a change event or updating a packet already in memory ?
Firmware is sending a change event in a new packet.
>
> What is the nature of the change event and how do you guarantee the second read is valid when the first read can be considered invalid ?
>
> i.e.
>
> - Read - derive read value X.
> - Do some stuff.
> - Read - again to make sure length value is still X.
> - Do all sorts of other processing.
>
> At which point is the sequence considered complete and the data considered "locked" and valid ?
With rouge firmware, the data can get invalid by the firmware during the second read but our intention is to avoid reading the out of bound data.
Whereas reading the invalid data will eventually lead to session_error at some point in future.
>
> What happens if you get a subsequent change event once this procedure has completed ?
Either instance will go into error state or the same process will be repeated.
Please let us know if this is not a correct approach, or any other suggestions.
Regards,
Vedang Nagar
>
> ---
> bod
Powered by blists - more mailing lists