From: Dan Carpenter <dan.carpenter@oracle.com>
To: Hans Verkuil <hverkuil@xs4all.nl>
Cc: tiffany.lin@mediatek.com, linux-media@vger.kernel.org,
linux-mediatek@lists.infradead.org
Subject: Re: [bug report] [media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver
Date: Thu, 10 Nov 2016 16:30:04 +0300 [thread overview]
Message-ID: <20161110120028.GG28558@mwanda> (raw)
In-Reply-To: <9794dab1-94ba-c384-85c5-edb8831810ff@xs4all.nl>
On Wed, Nov 09, 2016 at 02:45:21PM +0100, Hans Verkuil wrote:
> On 11/09/16 14:28, Dan Carpenter wrote:
> >Hello Tiffany Lin,
> >
> >The patch 590577a4e525: "[media] vcodec: mediatek: Add Mediatek V4L2
> >Video Decoder Driver" from Sep 2, 2016, leads to the following static
> >checker warning:
> >
> > drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c:536 vidioc_vdec_qbuf()
> > error: buffer overflow 'vq->bufs' 32 <= u32max
> >
> >drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
> > 520 static int vidioc_vdec_qbuf(struct file *file, void *priv,
> > 521 struct v4l2_buffer *buf)
> > 522 {
> > 523 struct mtk_vcodec_ctx *ctx = fh_to_ctx(priv);
> > 524 struct vb2_queue *vq;
> > 525 struct vb2_buffer *vb;
> > 526 struct mtk_video_dec_buf *mtkbuf;
> > 527 struct vb2_v4l2_buffer *vb2_v4l2;
> > 528
> > 529 if (ctx->state == MTK_STATE_ABORT) {
> > 530 mtk_v4l2_err("[%d] Call on QBUF after unrecoverable error",
> > 531 ctx->id);
> > 532 return -EIO;
> > 533 }
> > 534
> > 535 vq = v4l2_m2m_get_vq(ctx->m2m_ctx, buf->type);
> > 536 vb = vq->bufs[buf->index];
> >
> >Smatch thinks that "buf->index" comes straight from the user without
> >being checked and that this is a buffer overflow. It seems simple
> >enough to analyse the call tree.
> >
> >__video_do_ioctl()
> >-> v4l_qbuf()
> > -> vidioc_vdec_qbuf()
> >
> >It seems like Smatch is correct. I looked at a different implementation
> >of this and that one wasn't checked either so maybe there is something
> >I am not seeing.
> >
> >This has obvious security implications. Can someone take a look at
> >this?
>
> This is indeed wrong.
>
> The v4l2_m2m_qbuf() call at the end of this function calls in turn
> vb2_qbuf which
> will check the index.
There could be an issue before you reach v4l2_m2m_qbuf() because we
set "mtkbuf->lastframe = true;" so we could be corrupting random
memory.
I re-reviewed the other function I looked at earlier and that one was OK
though.
regards,
dan carpenter
prev parent reply other threads:[~2016-11-10 13:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-09 13:28 [bug report] [media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver Dan Carpenter
2016-11-09 13:28 ` Dan Carpenter
2016-11-09 13:45 ` Hans Verkuil
2016-11-10 4:31 ` Tiffany Lin
2016-11-10 4:31 ` Tiffany Lin
2016-11-10 13:30 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161110120028.GG28558@mwanda \
--to=dan.carpenter@oracle.com \
--cc=hverkuil@xs4all.nl \
--cc=linux-media@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=tiffany.lin@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.