From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
Cc: Florian Fainelli <florian.fainelli@broadcom.com>,
bcm-kernel-feedback-list@broadcom.com,
linux-staging@lists.linux.dev,
linux-rpi-kernel@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
linux-media@vger.kernel.org,
Dave Stevenson <dave.stevenson@raspberrypi.com>,
kernel-list@raspberrypi.com
Subject: Re: [PATCH 1/4] staging: vc04_services: vchiq-mmal: fix OOB array access in event_to_host_cb()
Date: Sun, 29 Mar 2026 08:35:36 +0200 [thread overview]
Message-ID: <2026032936-deniable-visa-2459@gregkh> (raw)
In-Reply-To: <20260329062229.493430-2-sebasjosue84@gmail.com>
On Sun, Mar 29, 2026 at 12:21:11AM -0600, Sebastian Josue Alba Vives wrote:
> From: Sebastián Alba Vives <sebasjosue84@gmail.com>
>
> event_to_host_cb() uses msg->u.event_to_host.client_component as an
> index into the instance->component[] array (size VCHIQ_MMAL_MAX_COMPONENTS
> = 64) without any bounds validation. The client_component value comes
> from the VideoCore GPU firmware via VCHIQ message passing.
>
> A malicious or buggy GPU firmware could send a crafted
> MMAL_MSG_TYPE_EVENT_TO_HOST message with client_component >= 64 (or
> negative), causing an out-of-bounds array access in kernel memory. This
> results in reading/dereferencing a bogus vchiq_mmal_component structure
> from memory beyond the array, which can lead to kernel crashes or
> potentially arbitrary kernel memory access.
The kernel trusts the hardware the driver is bound to, so this shouldn't
be happening ever, right?
>
> Add a bounds check on comp_idx before using it as an array index.
> Move the component pointer assignment after the validation.
>
> Fixes: b18ee53ad297 ("staging: bcm2835: Break MMAL support out from camera")
> Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
No cc: stable?
> ---
> drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
> index d36ad71cc..4772126d7 100644
> --- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
> +++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
> @@ -477,12 +477,19 @@ static void event_to_host_cb(struct vchiq_mmal_instance *instance,
> struct mmal_msg *msg, u32 msg_len)
> {
> int comp_idx = msg->u.event_to_host.client_component;
> - struct vchiq_mmal_component *component =
> - &instance->component[comp_idx];
> + struct vchiq_mmal_component *component;
> struct vchiq_mmal_port *port = NULL;
> struct mmal_msg_context *msg_context;
> u32 port_num = msg->u.event_to_host.port_num;
>
> + if (comp_idx < 0 || comp_idx >= VCHIQ_MMAL_MAX_COMPONENTS) {
> + pr_err("%s: component index %d out of range\n",
> + __func__, comp_idx);
dev_err() is best, right?
And are you going to allow a malicious hardware device to spam the
kernel log? :)
thanks,
greg k-h
next prev parent reply other threads:[~2026-03-29 6:35 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 6:21 [PATCH 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 1/4] staging: vc04_services: vchiq-mmal: fix OOB array access in event_to_host_cb() Sebastian Josue Alba Vives
2026-03-29 6:35 ` Greg Kroah-Hartman [this message]
2026-03-29 7:06 ` Sebastián Alba
2026-03-29 6:21 ` [PATCH 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive() Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set() Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 1/4] staging: vc04_services: vchiq-mmal: validate component index in event_to_host_cb() Sebastian Josue Alba Vives
2026-03-30 9:35 ` Dan Carpenter
2026-03-29 7:15 ` [PATCH v2 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026032936-deniable-visa-2459@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=dave.stevenson@raspberrypi.com \
--cc=florian.fainelli@broadcom.com \
--cc=kernel-list@raspberrypi.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rpi-kernel@lists.infradead.org \
--cc=linux-staging@lists.linux.dev \
--cc=sebasjosue84@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.