lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID:
 <PAXPR04MB8254E671EFA3C2C4264C548FE7BA2@PAXPR04MB8254.eurprd04.prod.outlook.com>
Date: Wed, 23 Apr 2025 07:19:55 +0000
From: Ming Qian <ming.qian@....com>
To: Nicolas Dufresne <nicolas@...fresne.ca>, Chenyuan Yang
	<chenyuan0y@...il.com>, Eagle Zhou <eagle.zhou@....com>, "mchehab@...nel.org"
	<mchehab@...nel.org>, "shijie.qin@....com" <shijie.qin@....com>,
	"hverkuil@...all.nl" <hverkuil@...all.nl>
CC: "linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [EXT] Re: [PATCH] media: amphion: fix potential NULL deref in
 vpu_core_parse_dt()



>-----Original Message-----
>From: Nicolas Dufresne <nicolas@...fresne.ca>
>Sent: Wednesday, April 23, 2025 5:14 AM
>To: Chenyuan Yang <chenyuan0y@...il.com>; Ming Qian
><ming.qian@....com>; Eagle Zhou <eagle.zhou@....com>;
>mchehab@...nel.org; shijie.qin@....com; hverkuil@...all.nl
>Cc: linux-media@...r.kernel.org; linux-kernel@...r.kernel.org
>Subject: [EXT] Re: [PATCH] media: amphion: fix potential NULL deref in
>vpu_core_parse_dt()
>
>Caution: This is an external email. Please take care when clicking links or
>opening attachments. When in doubt, report the message using the 'Report
>this email' button
>
>
>Le vendredi 11 avril 2025 à 17:20 -0400, Nicolas Dufresne a écrit :
>> Hi,
>>
>> Le vendredi 11 avril 2025 à 13:43 -0500, Chenyuan Yang a écrit :
>> > The result of memremap() may be NULL on failure, leading to a null
>> > dereference in the subsequent memset(). Add explicit checks after
>> > each memremap() call: if the firmware region fails to map, return
>> > immediately; if the RPC region fails, unmap the firmware window
>> > before returning.
>>
>> Its hard to believe that its a coincidence that someone else sent a
>> patch for this. A colleague, the same person ?
>>
>> I do prefer this version though, the commits message is better, the
>> code is nicer. If its you, adding a [PATCH v2], or just adding a
>> comment that its a better version would be nice.
>
>To Ming Qian, this is the type of patch that I expect an Acked-by from the
>maintainer.
>
>Meanwhile, to Chenyuan, you should followup when requested. Marking this
>patch as change requested, looking forward a v2.
>
>Nicolas
>
>>
>> >
>> > This is similar to the commit 966d47e1f27c
>> > ("efi: fix potential NULL deref in efi_mem_reserve_persistent").
>> >
>> > This is found by our static analysis tool KNighter.
>> >
>> > Signed-off-by: Chenyuan Yang <chenyuan0y@...il.com>
>> > Fixes: 9f599f351e86 ("media: amphion: add vpu core driver")

Reviewed-by: Ming Qian <ming.qian@....nxp.com>

>> > ---
>> >  drivers/media/platform/amphion/vpu_core.c | 11 +++++++++++
>> >  1 file changed, 11 insertions(+)
>> >
>> > diff --git a/drivers/media/platform/amphion/vpu_core.c
>> > b/drivers/media/platform/amphion/vpu_core.c
>> > index 8df85c14ab3f..26568987586d 100644
>> > --- a/drivers/media/platform/amphion/vpu_core.c
>> > +++ b/drivers/media/platform/amphion/vpu_core.c
>> > @@ -586,7 +586,18 @@ static int vpu_core_parse_dt(struct vpu_core
>*core, struct device_node *np)
>> >     }
>> >
>> >     core->fw.virt = memremap(core->fw.phys, core->fw.length,
>> > MEMREMAP_WC);
>> > +   if (!core->fw.virt) {
>> > +           dev_err(core->dev, "failed to remap fw region\n");
>> > +           of_node_put(node);
>>
>> nit: node and res are no longer used passed line 579. Meaning you
>> could unref the node earlier, and remove the repeated
>> of_node_put(node) call in the error conditions.
>>
>> > +           return -ENOMEM;
>> > +   }
>> >     core->rpc.virt = memremap(core->rpc.phys, core->rpc.length,
>> > MEMREMAP_WC);
>>
>> I really enjoy blank lines after closing scope, even though its not a
>> strict coding standard.
>>
>> > +   if (!core->rpc.virt) {
>> > +           dev_err(core->dev, "failed to remap rpc region\n");
>> > +           memunmap(core->fw.virt);
>>
>> Its interesting that you thought of cleaning that up here, since its
>> not being cleanup in the error case of "if (ret !=
>> VPU_CORE_MEMORY_UNCACHED)".  And its also not being cleanup if the
>> probe fails later for other reasons. Perhaps your chance to add more
>> fixes to this driver.
>>
>> > +           of_node_put(node);
>> > +           return -ENOMEM;
>> > +   }
>> >     memset(core->rpc.virt, 0, core->rpc.length);
>>
>> Same, I like blank lines (but you are free to ignore me if Ming does
>> not care).
>>
>> >
>> >     ret = vpu_iface_check_memory_region(core, core->rpc.phys,
>> > core->rpc.length);
>>
>> regards,
>> Nicolas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ