| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aafd2f8d-be8e-4929-a21c-c8f066e2f6f1@collabora.com>
Date: Tue, 23 Sep 2025 14:59:02 +0200
From: Benjamin Gaignard <benjamin.gaignard@...labora.com>
To: Nicolas Dufresne <nicolas.dufresne@...labora.com>,
Philipp Zabel <p.zabel@...gutronix.de>,
Mauro Carvalho Chehab <mchehab@...nel.org>, Shawn Guo <shawnguo@...nel.org>,
Sascha Hauer <s.hauer@...gutronix.de>,
Pengutronix Kernel Team <kernel@...gutronix.de>,
Fabio Estevam <festevam@...il.com>, Jernej Skrabec
<jernej.skrabec@...il.com>, Hans Verkuil <hverkuil@...nel.org>,
Ezequiel Garcia <ezequiel@...guardiasur.com.ar>
Cc: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
linux-media@...r.kernel.org, linux-rockchip@...ts.infradead.org,
linux-kernel@...r.kernel.org, imx@...ts.linux.dev,
linux-arm-kernel@...ts.infradead.org, kernel@...labora.com,
Stable@...r.kernel.org
Subject: Re: [PATCH 2/2] media: verisilicon: Protect G2 HEVC decoder against
invalid DPB index
Le 22/09/2025 à 20:43, Nicolas Dufresne a écrit :
> Fix the Hantro G2 HEVC decoder so that we use DPB index 0 whenever a
> ninvalid index is received from user space. This protects the hardware
> from doing faulty memory access which then leads to bus errors.
>
> To be noted that when a reference is missing, userspace such as GStreamer
> passes an invalid DPB index of 255. This issue was found by seeking to a
> CRA picture using GStreamer. The framework is currently missing the code
> to skip over RASL pictures placed after the CRA. This situation can also
> occur while doing live streaming over lossy transport.
>
> Fixes: cb5dd5a0fa518 ("media: hantro: Introduce G2/HEVC decoder")
> Signed-off-by: Nicolas Dufresne <nicolas.dufresne@...labora.com>
Reviewed-by: Benjamin Gaignard <benjamin.gaignard@...labora.com>
> ---
> drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
> index f066636e56f98560d9b1c5036691e3c34dd13b1f..e8c2e83379def53ce7fd86d6929ed4f5e0db068e 100644
> --- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
> +++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
> @@ -283,6 +283,15 @@ static void set_params(struct hantro_ctx *ctx)
> hantro_reg_write(vpu, &g2_apf_threshold, 8);
> }
>
> +static u32 get_dpb_index(const struct v4l2_ctrl_hevc_decode_params *decode_params,
> + const u32 index)
> +{
> + if (index > decode_params->num_active_dpb_entries)
> + return 0;
> +
> + return index;
> +}
> +
> static void set_ref_pic_list(struct hantro_ctx *ctx)
> {
> const struct hantro_hevc_dec_ctrls *ctrls = &ctx->hevc_dec.ctrls;
> @@ -355,8 +364,10 @@ static void set_ref_pic_list(struct hantro_ctx *ctx)
> list1[j++] = list1[i++];
>
> for (i = 0; i < V4L2_HEVC_DPB_ENTRIES_NUM_MAX; i++) {
> - hantro_reg_write(vpu, &ref_pic_regs0[i], list0[i]);
> - hantro_reg_write(vpu, &ref_pic_regs1[i], list1[i]);
> + hantro_reg_write(vpu, &ref_pic_regs0[i],
> + get_dpb_index(decode_params, list0[i]));
> + hantro_reg_write(vpu, &ref_pic_regs1[i],
> + get_dpb_index(decode_params, list1[i]));
> }
> }
>
>
Powered by blists - more mailing lists