From patchwork Sat Jan 4 05:41:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vedang Nagar X-Patchwork-Id: 855102 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F24517C69; Sat, 4 Jan 2025 05:42:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1735969324; cv=none; b=iKR5k6EUD4vRdCyQUatUvYB8JOJcTbScOOOuY/47EVRqhi7ONpM6GhffUrsRpBjSPTpgH2NPZ1vxnXCd7Shr26c+DoBzq2YYTyw8TnA0Lt2c6sNrhtH9PxAeEfu+xb2hi1Yf1sN+sAc+nK0wug/nyXpE5uWGiawjuSn9lQcdxoI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1735969324; c=relaxed/simple; bh=0rpW147ExNkqh3cPmgcWxrbDXwzM+JtC0t0ZCo9Gb+U=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=ZmvoLXnJUpXPUWVmbxVPixW/ppONKuq7F9OJOoj8md3tpxi2jvYSgAuG0/pnURSiLTunA1qiG6ihWnOSfq/Rwy/RXmfTe+6ij0GEDJ01epqeFz0xrTDWyFWi1s+d5Nr1Qy+ma47OhttgWZcb7okw3tmxs4qCf/Ie0xud8fKFLBM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=DNivNb62; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="DNivNb62" Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50446iDd006091; Sat, 4 Jan 2025 05:41:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= bx2nBaRMDMCxvJqlBwdkzoEpvjyrTB6xzop8ORn9mLE=; b=DNivNb62Gmn3rz+B 6US6wqUnE9hZ+9ql6Xr4syhHsAMbqg2H5vnvqWM2nsdNclJQqg4RXCQaGFgfuT+w sBqjLo/EB0dH5T0rYX4c1dAoQyZ0S+7BMEurQs8jTjkIgJPI5XAYXW1AgZyWwX4E iiGQrd9kCHqOtkh2qPk0xrieqBLBWzcNniPTVCxBixofvIIp1LK8Su5t8WKWJpVI np0Hrl0MKASD2RtgX+ETQ4ht/vMydwubuuC2bWQelTLZmqI43Y7Z3XOaMIHnKS8p dALbBXOU9iE7Ss62dTxnteml404Rv5l9JwdjoA0nmBZIjTIx8xfkhjOTjCDIgn6X tafzog== Received: from nasanppmta03.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 43xvjwg780-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 04 Jan 2025 05:41:57 +0000 (GMT) Received: from nasanex01b.na.qualcomm.com (nasanex01b.na.qualcomm.com [10.46.141.250]) by NASANPPMTA03.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 5045fuTI015127 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 4 Jan 2025 05:41:56 GMT Received: from [10.213.96.105] (10.80.80.8) by nasanex01b.na.qualcomm.com (10.46.141.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Fri, 3 Jan 2025 21:41:53 -0800 From: Vedang Nagar Date: Sat, 4 Jan 2025 11:11:36 +0530 Subject: [PATCH 1/2] media: venus: fix OOB read issue due to double read Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <20250104-venus-security-fixes-v1-1-9d0dd4594cb4@quicinc.com> References: <20250104-venus-security-fixes-v1-0-9d0dd4594cb4@quicinc.com> In-Reply-To: <20250104-venus-security-fixes-v1-0-9d0dd4594cb4@quicinc.com> To: Stanimir Varbanov , Vikash Garodia , Bryan O'Donoghue , Mauro Carvalho Chehab CC: , , , Vedang Nagar X-Mailer: b4 0.15-dev-dedf8 X-Developer-Signature: v=1; a=ed25519-sha256; t=1735969311; l=1239; i=quic_vnagar@quicinc.com; s=20240917; h=from:subject:message-id; bh=0rpW147ExNkqh3cPmgcWxrbDXwzM+JtC0t0ZCo9Gb+U=; b=/xUuxY8tbnq0k3oUuUNkGSWYun54cgAZBZA0ZLnkV7h6tRXmONzrCfdwA4NmVz0Fn5lNxuxl4 2Vjh9rIfJIqCaK4MLYpKjOzN91rbjnptW7GdPHwTkKNFBZv52cb54r7 X-Developer-Key: i=quic_vnagar@quicinc.com; a=ed25519; pk=GHqLT8NPue4v+CDHbZork8Ps39CBHq345GQKvCZ1glE= X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01b.na.qualcomm.com (10.46.141.250) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: 1FRlYnrz5SJGHau5Z4iuiwvts-5ItW7z X-Proofpoint-ORIG-GUID: 1FRlYnrz5SJGHau5Z4iuiwvts-5ItW7z X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-06_09,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxscore=0 spamscore=0 priorityscore=1501 lowpriorityscore=0 clxscore=1011 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 mlxlogscore=697 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2411120000 definitions=main-2501040046 During message queue read, the address is being read twice from the shared memory. The first read is validated against the size of the packet, however the second read is not being validated. Therefore, it's possible for firmware to modify the value to a bigger invalid value which can lead to OOB read access issue while reading the packet. Added fix to reupdate the size of the packet which was read for the first time. Signed-off-by: Vedang Nagar --- drivers/media/platform/qcom/venus/hfi_venus.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c index f9437b6412b91c2483670a2b11f4fd43f3206404..64cc9e916f53e5a9c82b1ff25c4475d622ebc321 100644 --- a/drivers/media/platform/qcom/venus/hfi_venus.c +++ b/drivers/media/platform/qcom/venus/hfi_venus.c @@ -298,6 +298,7 @@ static int venus_read_queue(struct venus_hfi_device *hdev, memcpy(pkt, rd_ptr, len); memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2); } + memcpy(pkt, (u32 *)(queue->qmem.kva + (rd_idx << 2)), sizeof(u32)); } else { /* bad packet received, dropping */ new_rd_idx = qhdr->write_idx; From patchwork Sat Jan 4 05:41:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vedang Nagar X-Patchwork-Id: 855211 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D89F914C5AA; Sat, 4 Jan 2025 05:42:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1735969326; cv=none; b=OKuavx+oqungoGbOAVX6SfNDlHvMrN5Q1/7NevJ8HrcPH7iM/4yd8XhSJZQ/xec7skxwhumZciQiBmamZjSb+tCuJnoTB5YczPULpfzb26TLqTXqKJ+Idp2T7gbk7Hc8XwyR+TCKeRooSCSTiqWO5tRV2GzzvUywiL/TeMtk/8g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1735969326; c=relaxed/simple; bh=LAsSTmvz3OtcE8QURJk84GGff9I5n58G3Sh+J6ZZiQQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=fVGxPYB/Nj8OoNTHAIyhEIN2JMtHBaxowX787V/6qYxGeZUyWIHbTBTYJS8z0Ks6RI/AOFRz+r0idMmSll7/XYs6cbfSpg7ScsdtKThfVdAUh11q5YZK2F6LtKfDinNaw04w1Td54f/RCWZidwOdXh1dwgkTy0PU1fjEWriZ8BE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=CDUqlMFf; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="CDUqlMFf" Received: from pps.filterd (m0279868.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 50446OcB027086; Sat, 4 Jan 2025 05:42:00 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=qcppdkim1; bh= q47ygRB0QOW3cDcv/BaoQWclltakKDao79RZaI8CKos=; b=CDUqlMFfMQCtISJy qHlMz7uNVGZ4pLkr5N3ofhHJvWjcY0ATbtbvt+GcPt4N4iB6l/K6+RdHih1q6B6B L4yysVuTLYtZu+f7asI0qkTUKYrXr7Noqv/wNVBjiXt8xvESclZCcYGrBqfm/nn6 tgBJRqMies9cO+bl+QAaiONWTWUXykKXvMaZTy4aeC1nE6ca6+acF5q8NVr6YOAL wChbLDLUYoWaDDhsSYZSSGokAAzYwfywW1va/j+qALpnNlBKnfFt1Cs9sMbnorrC ehZriRMUq3GnRAQSk7hnzVvHEBPLw2s0T34sQSt4wovjjfFf3U/IWjFkVIHOg6Qm C0hz2Q== Received: from nasanppmta03.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 43xvaf888a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 04 Jan 2025 05:42:00 +0000 (GMT) Received: from nasanex01b.na.qualcomm.com (nasanex01b.na.qualcomm.com [10.46.141.250]) by NASANPPMTA03.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTPS id 5045fxRo015157 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 4 Jan 2025 05:41:59 GMT Received: from [10.213.96.105] (10.80.80.8) by nasanex01b.na.qualcomm.com (10.46.141.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Fri, 3 Jan 2025 21:41:57 -0800 From: Vedang Nagar Date: Sat, 4 Jan 2025 11:11:37 +0530 Subject: [PATCH 2/2] media: venus: fix OOB access issue while reading sequence changed events Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <20250104-venus-security-fixes-v1-2-9d0dd4594cb4@quicinc.com> References: <20250104-venus-security-fixes-v1-0-9d0dd4594cb4@quicinc.com> In-Reply-To: <20250104-venus-security-fixes-v1-0-9d0dd4594cb4@quicinc.com> To: Stanimir Varbanov , Vikash Garodia , Bryan O'Donoghue , Mauro Carvalho Chehab CC: , , , Vedang Nagar X-Mailer: b4 0.15-dev-dedf8 X-Developer-Signature: v=1; a=ed25519-sha256; t=1735969311; l=5411; i=quic_vnagar@quicinc.com; s=20240917; h=from:subject:message-id; bh=LAsSTmvz3OtcE8QURJk84GGff9I5n58G3Sh+J6ZZiQQ=; b=BftFox6NwC+krArDlM4Wye0+z6AD8ZZreLCPTy3F+v5ZwuFgsmbcOoRVsZTPS9T108Lhg9Ykz /MzQ1P8ly9YA7YI+62DF+TlfCuUqGVpSPsadg+/7Egozbku0hkfrMVO X-Developer-Key: i=quic_vnagar@quicinc.com; a=ed25519; pk=GHqLT8NPue4v+CDHbZork8Ps39CBHq345GQKvCZ1glE= X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01b.na.qualcomm.com (10.46.141.250) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: TzbKJfqyoc-Lhin4Pvj4TVTqOYGhM2FF X-Proofpoint-GUID: TzbKJfqyoc-Lhin4Pvj4TVTqOYGhM2FF X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-06_09,2024-09-06_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 bulkscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=999 priorityscore=1501 impostorscore=0 clxscore=1011 mlxscore=0 suspectscore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2411120000 definitions=main-2501040046 num_properties_changed is being read from the message queue but is not validated. Value can be corrupted from the firmware leading to OOB read access issues. Add fix to read the size of the packets as well and crosscheck before reading from the packet. Signed-off-by: Vedang Nagar --- drivers/media/platform/qcom/venus/hfi_msgs.c | 62 +++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 0a041b4db9efc549621de07dd13b4a3a37a70d11..3fff21ea744b0171e204dd0851fc46cb468e1979 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -33,8 +33,8 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, struct hfi_buffer_requirements *bufreq; struct hfi_extradata_input_crop *crop; struct hfi_dpb_counts *dpb_count; + u32 ptype, rem_bytes; u8 *data_ptr; - u32 ptype; inst->error = HFI_ERR_NONE; @@ -56,66 +56,126 @@ static void event_seq_changed(struct venus_core *core, struct venus_inst *inst, } data_ptr = (u8 *)&pkt->ext_event_data[0]; + rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt); + if (rem_bytes - 4 < 0) { + inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; + goto done; + } + do { ptype = *((u32 *)data_ptr); switch (ptype) { case HFI_PROPERTY_PARAM_FRAME_SIZE: + if (rem_bytes < sizeof(u32)) + break; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + if (rem_bytes < sizeof(struct hfi_framesize)) + break; frame_sz = (struct hfi_framesize *)data_ptr; event.width = frame_sz->width; event.height = frame_sz->height; data_ptr += sizeof(*frame_sz); + rem_bytes -= sizeof(struct hfi_framesize); break; case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT: + if (rem_bytes < sizeof(u32)) + break; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + if (rem_bytes < sizeof(struct hfi_profile_level)) + break; profile_level = (struct hfi_profile_level *)data_ptr; event.profile = profile_level->profile; event.level = profile_level->level; data_ptr += sizeof(*profile_level); + rem_bytes -= sizeof(struct hfi_profile_level); break; case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH: + if (rem_bytes < sizeof(u32)) + break; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + if (rem_bytes < sizeof(struct hfi_bit_depth)) + break; pixel_depth = (struct hfi_bit_depth *)data_ptr; event.bit_depth = pixel_depth->bit_depth; data_ptr += sizeof(*pixel_depth); + rem_bytes -= sizeof(struct hfi_bit_depth); break; case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT: + if (rem_bytes < sizeof(u32)) + break; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + if (rem_bytes < sizeof(struct hfi_pic_struct)) + break; pic_struct = (struct hfi_pic_struct *)data_ptr; event.pic_struct = pic_struct->progressive_only; data_ptr += sizeof(*pic_struct); + rem_bytes -= sizeof(struct hfi_pic_struct); break; case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE: + if (rem_bytes < sizeof(u32)) + break; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + if (rem_bytes < sizeof(struct hfi_colour_space)) + break; colour_info = (struct hfi_colour_space *)data_ptr; event.colour_space = colour_info->colour_space; data_ptr += sizeof(*colour_info); + rem_bytes -= sizeof(struct hfi_colour_space); break; case HFI_PROPERTY_CONFIG_VDEC_ENTROPY: + if (rem_bytes < sizeof(u32)) + break; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + if (rem_bytes < sizeof(u32)) + break; event.entropy_mode = *(u32 *)data_ptr; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); break; case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: + if (rem_bytes < sizeof(u32)) + break; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + if (rem_bytes < sizeof(struct hfi_buffer_requirements)) + break; bufreq = (struct hfi_buffer_requirements *)data_ptr; event.buf_count = hfi_bufreq_get_count_min(bufreq, ver); data_ptr += sizeof(*bufreq); + rem_bytes -= sizeof(struct hfi_buffer_requirements); break; case HFI_INDEX_EXTRADATA_INPUT_CROP: + if (rem_bytes < sizeof(u32)) + break; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + if (rem_bytes < sizeof(struct hfi_extradata_input_crop)) + break; crop = (struct hfi_extradata_input_crop *)data_ptr; event.input_crop.left = crop->left; event.input_crop.top = crop->top; event.input_crop.width = crop->width; event.input_crop.height = crop->height; data_ptr += sizeof(*crop); + rem_bytes -= sizeof(struct hfi_extradata_input_crop); break; case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS: + if (rem_bytes < sizeof(u32)) + break; data_ptr += sizeof(u32); + rem_bytes -= sizeof(u32); + if (rem_bytes < sizeof(struct hfi_dpb_counts)) + break; dpb_count = (struct hfi_dpb_counts *)data_ptr; event.buf_count = dpb_count->fw_min_cnt; data_ptr += sizeof(*dpb_count); + rem_bytes -= sizeof(struct hfi_dpb_counts); break; default: break;