From: Kees Cook <keescook@chromium.org>
To: Mirela Rabulea <mirela.rabulea@nxp.com>
Cc: Kees Cook <keescook@chromium.org>,
NXP Linux Team <linux-imx@nxp.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Shawn Guo <shawnguo@kernel.org>,
Sascha Hauer <s.hauer@pengutronix.de>,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Fabio Estevam <festevam@gmail.com>,
linux-media@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH] media: imx-jpeg: Bounds check sizeimage access
Date: Sat, 4 Feb 2023 10:38:05 -0800 [thread overview]
Message-ID: <20230204183804.never.323-kees@kernel.org> (raw)
The call of mxc_jpeg_get_plane_size() from mxc_jpeg_dec_irq() sets
plane_no argument to 1. The compiler sees that it's possible to end up
with an access beyond the bounds of sizeimage, if mem_planes was too
large:
if (plane_no >= fmt->mem_planes) // mem_planes = 2+
return 0;
if (fmt->mem_planes == fmt->comp_planes) // comp_planes != mem_planes
return q_data->sizeimage[plane_no];
if (plane_no < fmt->mem_planes - 1) // mem_planes = 2
return q_data->sizeimage[plane_no];
comp_planes == 0 or 1 is safe. comp_planes > 2 would be out of bounds.
(This isn't currently possible given the contents of mxc_formats, though.)
Silence the warning by bounds checking comp_planes for future
robustness. Seen with GCC 13:
In function 'mxc_jpeg_get_plane_size',
inlined from 'mxc_jpeg_dec_irq' at ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:729:14:
../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:42: warning: array subscript 2 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Warray-bounds=]
641 | size += q_data->sizeimage[i];
| ~~~~~~~~~~~~~~~~~^~~
In file included from ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.h:112,
from ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:63:
../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h: In function 'mxc_jpeg_dec_irq':
../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h:84:41: note: while referencing 'sizeimage'
84 | u32 sizeimage[MXC_JPEG_MAX_PLANES];
| ^~~~~~~~~
Cc: Mirela Rabulea <mirela.rabulea@nxp.com>
Cc: NXP Linux Team <linux-imx@nxp.com>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: linux-media@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
index 6cd015a35f7c..ac44bf23953a 100644
--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
@@ -637,6 +637,11 @@ static u32 mxc_jpeg_get_plane_size(struct mxc_jpeg_q_data *q_data, u32 plane_no)
return q_data->sizeimage[plane_no];
size = q_data->sizeimage[fmt->mem_planes - 1];
+
+ /* Should be impossible given mxc_formats. */
+ if (WARN_ON_ONCE(fmt->comp_planes > ARRAY_SIZE(q_data->sizeimage)))
+ return size;
+
for (i = fmt->mem_planes; i < fmt->comp_planes; i++)
size += q_data->sizeimage[i];
--
2.34.1
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Mirela Rabulea <mirela.rabulea@nxp.com>
Cc: Kees Cook <keescook@chromium.org>,
NXP Linux Team <linux-imx@nxp.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Shawn Guo <shawnguo@kernel.org>,
Sascha Hauer <s.hauer@pengutronix.de>,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Fabio Estevam <festevam@gmail.com>,
linux-media@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH] media: imx-jpeg: Bounds check sizeimage access
Date: Sat, 4 Feb 2023 10:38:05 -0800 [thread overview]
Message-ID: <20230204183804.never.323-kees@kernel.org> (raw)
The call of mxc_jpeg_get_plane_size() from mxc_jpeg_dec_irq() sets
plane_no argument to 1. The compiler sees that it's possible to end up
with an access beyond the bounds of sizeimage, if mem_planes was too
large:
if (plane_no >= fmt->mem_planes) // mem_planes = 2+
return 0;
if (fmt->mem_planes == fmt->comp_planes) // comp_planes != mem_planes
return q_data->sizeimage[plane_no];
if (plane_no < fmt->mem_planes - 1) // mem_planes = 2
return q_data->sizeimage[plane_no];
comp_planes == 0 or 1 is safe. comp_planes > 2 would be out of bounds.
(This isn't currently possible given the contents of mxc_formats, though.)
Silence the warning by bounds checking comp_planes for future
robustness. Seen with GCC 13:
In function 'mxc_jpeg_get_plane_size',
inlined from 'mxc_jpeg_dec_irq' at ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:729:14:
../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:42: warning: array subscript 2 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Warray-bounds=]
641 | size += q_data->sizeimage[i];
| ~~~~~~~~~~~~~~~~~^~~
In file included from ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.h:112,
from ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:63:
../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h: In function 'mxc_jpeg_dec_irq':
../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h:84:41: note: while referencing 'sizeimage'
84 | u32 sizeimage[MXC_JPEG_MAX_PLANES];
| ^~~~~~~~~
Cc: Mirela Rabulea <mirela.rabulea@nxp.com>
Cc: NXP Linux Team <linux-imx@nxp.com>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: linux-media@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
index 6cd015a35f7c..ac44bf23953a 100644
--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
@@ -637,6 +637,11 @@ static u32 mxc_jpeg_get_plane_size(struct mxc_jpeg_q_data *q_data, u32 plane_no)
return q_data->sizeimage[plane_no];
size = q_data->sizeimage[fmt->mem_planes - 1];
+
+ /* Should be impossible given mxc_formats. */
+ if (WARN_ON_ONCE(fmt->comp_planes > ARRAY_SIZE(q_data->sizeimage)))
+ return size;
+
for (i = fmt->mem_planes; i < fmt->comp_planes; i++)
size += q_data->sizeimage[i];
--
2.34.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2023-02-04 18:38 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-04 18:38 Kees Cook [this message]
2023-02-04 18:38 ` [PATCH] media: imx-jpeg: Bounds check sizeimage access Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230204183804.never.323-kees@kernel.org \
--to=keescook@chromium.org \
--cc=festevam@gmail.com \
--cc=kernel@pengutronix.de \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-imx@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=mirela.rabulea@nxp.com \
--cc=s.hauer@pengutronix.de \
--cc=shawnguo@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.