From: Dan Carpenter <dan.carpenter@oracle.com>
To: mchehab+huawei@kernel.org
Cc: Sakari Ailus <sakari.ailus@linux.intel.com>, linux-media@vger.kernel.org
Subject: [bug report] Revert "media: staging: atomisp: Remove driver"
Date: Fri, 29 May 2020 13:41:07 +0300 [thread overview]
Message-ID: <20200529104107.GA1306497@mwanda> (raw)
Hello Mauro Carvalho Chehab,
The patch ad85094b293e: "Revert "media: staging: atomisp: Remove
driver"" from Apr 19, 2020, leads to the following static checker
warning:
drivers/staging/media/atomisp/pci/atomisp_acc.c:207 atomisp_acc_load_to_pipe()
warn: pointer comes from user 'acc_fw->fw->blob.code'
drivers/staging/media/atomisp/pci/atomisp_acc.c
168
169 acc_fw = acc_alloc_fw(user_fw->size);
170 if (!acc_fw)
171 return -ENOMEM;
172
173 if (copy_from_user(acc_fw->fw, user_fw->data, user_fw->size)) {
^^^^^^^^^^
The acc_fw->fw->blob.code pointer isn't annotated as __user data.
Eventually it gets passed as "data" to int hmm_store() and treated as
a kernel pointer.
Presumably only privileged users can load new firmware so this isn't
a serious security bug...
174 acc_free_fw(acc_fw);
175 return -EFAULT;
176 }
177
178 handle = ida_alloc(&asd->acc.ida, GFP_KERNEL);
179 if (handle < 0) {
180 acc_free_fw(acc_fw);
181 return -ENOSPC;
182 }
183
184 user_fw->fw_handle = handle;
185 acc_fw->handle = handle;
186 acc_fw->flags = user_fw->flags;
187 acc_fw->type = user_fw->type;
188 acc_fw->fw->handle = handle;
189
190 /*
191 * correct isp firmware type in order ISP firmware can be appended
192 * to correct pipe properly
193 */
194 if (acc_fw->fw->type == ia_css_isp_firmware) {
195 static const int type_to_css[] = {
196 [ATOMISP_ACC_FW_LOAD_TYPE_OUTPUT] =
197 IA_CSS_ACC_OUTPUT,
198 [ATOMISP_ACC_FW_LOAD_TYPE_VIEWFINDER] =
199 IA_CSS_ACC_VIEWFINDER,
200 [ATOMISP_ACC_FW_LOAD_TYPE_STANDALONE] =
201 IA_CSS_ACC_STANDALONE,
202 };
203 acc_fw->fw->info.isp.type = type_to_css[acc_fw->type];
204 }
205
206 list_add_tail(&acc_fw->list, &asd->acc.fw);
207 return 0;
208 }
regards,
dan carpenter
next reply other threads:[~2020-05-29 10:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-29 10:41 Dan Carpenter [this message]
2020-05-29 15:36 ` [bug report] Revert "media: staging: atomisp: Remove driver" Mauro Carvalho Chehab
-- strict thread matches above, loose matches on Subject: below --
2020-06-26 10:42 Dan Carpenter
2021-03-12 6:43 Dan Carpenter
2021-03-12 7:24 ` Mauro Carvalho Chehab
2021-03-12 10:08 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200529104107.GA1306497@mwanda \
--to=dan.carpenter@oracle.com \
--cc=linux-media@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=sakari.ailus@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.