[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f7df808c-0724-3f4d-b910-6e44637c7aaf@quicinc.com>
Date: Thu, 15 May 2025 18:53:15 +0530
From: Vikash Garodia <quic_vgarodia@...cinc.com>
To: Bryan O'Donoghue <bryan.odonoghue@...aro.org>,
Dikshita Agarwal
<quic_dikshita@...cinc.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Stanimir Varbanov <stanimir.varbanov@...aro.org>,
Hans Verkuil
<hans.verkuil@...co.com>
CC: <linux-media@...r.kernel.org>, <linux-arm-msm@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, Vedang Nagar <quic_vnagar@...cinc.com>
Subject: Re: [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when
reading packets from shared memory
On 5/15/2025 6:17 PM, Bryan O'Donoghue wrote:
> On 15/05/2025 13:11, Vikash Garodia wrote:
>>> But what if the "malicious" firmware only updated the data in the packet, not
>>> the length - or another field we are not checking ?
>> That does not cause any vulnerability. You can check and suggest if you see a
>> vulnerability when the data outside length is an issue w.r.t vulnerability.
>
> I don't believe you have identified a vulnerability here.
>
> You read a length field, you check that length field against a MAX size.
>
> Re-reading to see if the firmware wrote new bad data to the transmitted packet
> in-memory is not a fix before or after the memcpy() because the time you do that
> re-read is not fixed - locked wrt the freerunning firmware.
It would be more meaningful if you can suggest the vulnerability you see with
the changes suggested i.e adding the check in local packet against the size read
from shared queue. Based on that we can see how to fix it, otherwise this
discussion in not leading to any conclusion.
Regards,
Vikash
Powered by blists - more mailing lists