Message ID | 20221223123025.5948-1-a.burakov@rosalinux.ru (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Sakari Ailus |
Headers |
Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from <linux-media-owner@vger.kernel.org>) id 1p8hCX-003j4B-UD; Fri, 23 Dec 2022 12:31:05 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230429AbiLWMa5 (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Fri, 23 Dec 2022 07:30:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229506AbiLWMa4 (ORCPT <rfc822;linux-media@vger.kernel.org>); Fri, 23 Dec 2022 07:30:56 -0500 Received: from mail.rosalinux.ru (mail.rosalinux.ru [195.19.76.54]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56B015F63; Fri, 23 Dec 2022 04:30:48 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.rosalinux.ru (Postfix) with ESMTP id 653E1514336F; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) Received: from mail.rosalinux.ru ([127.0.0.1]) by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id zHmHr3oxIjyB; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) Received: from localhost (localhost [127.0.0.1]) by mail.rosalinux.ru (Postfix) with ESMTP id 29CBB5143372; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.rosalinux.ru 29CBB5143372 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rosalinux.ru; s=1D4BB666-A0F1-11EB-A1A2-F53579C7F503; t=1671798562; bh=yXHtvnOMY5eVIVGTxUflX7Ih3TxR3ASy2jfItVNcKx0=; h=From:To:Date:Message-Id:MIME-Version; b=mENv6OhVuLIQrPrw/2HLDk2wzdDiC/04ajhR7J2pze+AgmfpM4WGB84ugvQZBrhlC tI9v9wczKUxpQuzfAM45pHf6VEIZVP6QtQQmBwNRCIryS505WiziHpgw5vUjPq6DoJ cIm1cgYLDy4w9ljwaVV3YVx9S+hu8ba+pbU+6P//mO6qQel5tfJYK0eH2ZmxgQoWOe 8H5sUaNQsKA5/W1qHe5IK9pYn98i+E3vge4G1Had/m0/VdvG661d4znd9dqhajOHno wlOaX3RiNO3aXfJSExySeYt64W0U9JvLn6hJWk/GWP7VWkx+4OCojyw3miErZRn9c7 cOvHbHin7s5nA== X-Virus-Scanned: amavisd-new at rosalinux.ru Received: from mail.rosalinux.ru ([127.0.0.1]) by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id LenJMnkku1Ky; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) Received: from ubuntu.localdomain (unknown [144.206.93.23]) by mail.rosalinux.ru (Postfix) with ESMTPSA id B6378514336F; Fri, 23 Dec 2022 15:29:21 +0300 (MSK) From: Aleksandr Burakov <a.burakov@rosalinux.ru> To: Sakari Ailus <sakari.ailus@linux.intel.com>, Bingbu Cao <bingbu.cao@intel.com>, Tianshu Qiu <tian.shu.qiu@intel.com> Cc: Aleksandr Burakov <a.burakov@rosalinux.ru>, linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] staging: media: ipu3: buffer overflow fix in imgu_map_node Date: Fri, 23 Dec 2022 15:30:25 +0300 Message-Id: <20221223123025.5948-1-a.burakov@rosalinux.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -2.5 (--) X-LSpam-Report: No, score=-2.5 required=5.0 tests=BAYES_00=-1.9,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1 autolearn=ham autolearn_force=no |
Series |
staging: media: ipu3: buffer overflow fix in imgu_map_node
|
|
Commit Message
Aleksandr Burakov
Dec. 23, 2022, 12:30 p.m. UTC
If imgu_node_map[i].css_queue is not equal to css_queue
then "i" after the loop could be equal to IMGU_NODE_NUM
that is more than the border value (IMGU_NODE_NUM - 1).
So imgu_map_node() call may return IMGU_NODE_NUM that is more
than expected value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci device driver")
Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
---
drivers/staging/media/ipu3/ipu3.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Comments
Hi Aleksandr, On Fri, Dec 23, 2022 at 03:30:25PM +0300, Aleksandr Burakov wrote: > If imgu_node_map[i].css_queue is not equal to css_queue > then "i" after the loop could be equal to IMGU_NODE_NUM > that is more than the border value (IMGU_NODE_NUM - 1). > So imgu_map_node() call may return IMGU_NODE_NUM that is more > than expected value. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci device driver") > Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru> > --- > drivers/staging/media/ipu3/ipu3.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c > index 0c453b37f8c4..cb09eb3cc227 100644 > --- a/drivers/staging/media/ipu3/ipu3.c > +++ b/drivers/staging/media/ipu3/ipu3.c > @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue) > for (i = 0; i < IMGU_NODE_NUM; i++) > if (imgu_node_map[i].css_queue == css_queue) > break; > - > - return i; > + if (i < IMGU_NODE_NUM) > + return i; > + else > + return (IMGU_NODE_NUM - 1); > } > > /**************** Dummy buffers ****************/ Thanks for the patch. It would require a bug elsewhere in the driver for this to happen. If some handling for this case is added, it shouldn't be hiding the issue. One easy way could be to add WARN_ON() for this, and return some value (as you do). Zero would do equally well. I.e. return WARN_ON(i >= IMGU_NODE_NUM) ? 0 : i;
On Mon, Jan 02, 2023 at 01:41:21PM +0000, Sakari Ailus wrote: > > diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c > > index 0c453b37f8c4..cb09eb3cc227 100644 > > --- a/drivers/staging/media/ipu3/ipu3.c > > +++ b/drivers/staging/media/ipu3/ipu3.c > > @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue) > > for (i = 0; i < IMGU_NODE_NUM; i++) > > if (imgu_node_map[i].css_queue == css_queue) > > break; > > - > > - return i; > > + if (i < IMGU_NODE_NUM) > > + return i; > > + else > > + return (IMGU_NODE_NUM - 1); > > } > > > > /**************** Dummy buffers ****************/ > > Thanks for the patch. It would require a bug elsewhere in the driver for > this to happen. If some handling for this case is added, it shouldn't be > hiding the issue. > > One easy way could be to add WARN_ON() for this, and return some value (as > you do). Zero would do equally well. > > I.e. > > return WARN_ON(i >= IMGU_NODE_NUM) ? 0 : i; > I sent basically the same response but somehow my email never went through... I'm using mutt with gmail Oauth2 and msmtp and so my weekly(?) login has expired then something silently eats my outgoing emails. In this case the emails that I sent directly before and after went through so it seems like my login wasn't expired or everything would have been eaten. This Oauth2 transition has just been so frustrating. Am I the only person having trouble with it? regards, dan carpenter
diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c index 0c453b37f8c4..cb09eb3cc227 100644 --- a/drivers/staging/media/ipu3/ipu3.c +++ b/drivers/staging/media/ipu3/ipu3.c @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue) for (i = 0; i < IMGU_NODE_NUM; i++) if (imgu_node_map[i].css_queue == css_queue) break; - - return i; + if (i < IMGU_NODE_NUM) + return i; + else + return (IMGU_NODE_NUM - 1); } /**************** Dummy buffers ****************/