tmakin/ack-tegra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FROMGIT: media: venus: hfi: add a check to handle OOB in sfr region

Browse Source 
sfr->buf_size is in shared memory and can be modified by malicious user.
OOB write is possible when the size is made higher than actual sfr data
buffer. Cap the size to allocated size for such cases.

Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>

(cherry picked from commit f4b211714bcc70effa60c34d9fa613d182e3ef1e https://gitlab.freedesktop.org/linux-media/media-committers.git master)
Change-Id: I483a5feff3dfa35dae8f444e57601d2d1d85246f
Signed-off-by: Gaviraju Doddabettahalli Bettegowda <quic_gdoddabe@quicinc.com>
This commit is contained in:
Gaviraju Doddabettahalli Bettegowda
2025-03-20 19:59:27 +05:30
committed by Treehugger Robot
parent 01ed742812
commit c22f6470d7
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
drivers/media/platform/qcom/venus/hfi_venus.c
+10 -2
View File
@@ -1035,18 +1035,26 @@ static void venus_sfr_print(struct venus_hfi_device *hdev)
{
struct device *dev = hdev->core->dev;
struct hfi_sfr *sfr = hdev->sfr.kva;
u32 size;
void *p;
if (!sfr)
return;
p = memchr(sfr->data, '\0', sfr->buf_size);
size = sfr->buf_size;
if (!size)
return;
if (size > ALIGNED_SFR_SIZE)
size = ALIGNED_SFR_SIZE;
p = memchr(sfr->data, '\0', size);
/*
* SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates
* that Venus is in the process of crashing.
*/
if (!p)
sfr->data[sfr->buf_size - 1] = '\0';
sfr->data[size - 1] = '\0';
dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data);
}