lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aYXvDURNPu_5NILk@stanley.mountain>
Date: Fri, 6 Feb 2026 16:39:25 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Michael Riesch <michael.riesch@...labora.com>
Cc: linux-media@...r.kernel.org, linux-rockchip@...ts.infradead.org,
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: [bug report] media: rockchip: rkcif: add support for rk3568 vicap
 mipi capture

[ Smatch checking is paused while we raise funding.  #SadFace
  https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]

Hello Michael Riesch,

Commit 1f2353f5a1af ("media: rockchip: rkcif: add support for rk3568
vicap mipi capture") from Nov 14, 2025 (linux-next), leads to the
following Smatch static checker warning:

drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg()
index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id]' size=4 max='4' rl='0-u32max'

drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg()
index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id][index]' size=11 max='11' rl='0-11'

drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c
    504 static inline unsigned int rkcif_mipi_id_get_reg(struct rkcif_stream *stream,
    505                                                  unsigned int index)
    506 {
    507         struct rkcif_device *rkcif = stream->rkcif;
    508         unsigned int block, id, offset, reg;
    509 
    510         block = stream->interface->index - RKCIF_MIPI_BASE;
    511         id = stream->id;
    512 
    513         if (WARN_ON_ONCE(block > RKCIF_MIPI_MAX - RKCIF_MIPI_BASE) ||
    514             WARN_ON_ONCE(id > RKCIF_ID_MAX) ||
    515             WARN_ON_ONCE(index > RKCIF_MIPI_ID_REGISTER_MAX))


The id and index checks should be >=.  Not sure about block but I assume
it's off by one as well.

    516                 return RKCIF_REGISTER_NOTSUPPORTED;
    517 
    518         offset = rkcif->match_data->mipi->blocks[block].offset;
--> 519         reg = rkcif->match_data->mipi->regs_id[id][index];
    520         if (reg == RKCIF_REGISTER_NOTSUPPORTED)
    521                 return reg;
    522 
    523         return offset + reg;
    524 }

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ