* [PATCH 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths
@ 2026-06-26 16:40 Doruk Tan Ozturk
2026-06-26 16:40 ` [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS Doruk Tan Ozturk
2026-06-26 16:40 ` [PATCH 2/2] media: atomisp: bound DVS 6-axis table dimensions to the allocated config Doruk Tan Ozturk
0 siblings, 2 replies; 4+ messages in thread
From: Doruk Tan Ozturk @ 2026-06-26 16:40 UTC (permalink / raw)
To: Hans de Goede, Andy Shevchenko, Mauro Carvalho Chehab,
Greg Kroah-Hartman
Cc: Sakari Ailus, linux-media, linux-staging, linux-kernel,
Doruk Tan Ozturk
Two ioctls in the AtomISP staging driver size a kernel buffer from one
user-supplied field but use a *different* user-supplied field as the
copy/store length, with no cross-check, allowing a kernel heap/ISP-memory
out-of-bounds write:
1) atomisp_v4l2_framebuffer_to_css_frame(): frame allocated from
width/height/format, but hmm_store() uses arg->fmt.sizeimage.
2) atomisp_cp_dvs_6axis_config(): DVS 6-axis table allocated from the
stream grid, but copy_from_compatible() uses the user width/height
(both ISP2401 and ISP2400 paths).
Both add a bound check before the copy. Found by 0sec's autonomous
vulnerability analysis (https://0sec.ai); identified by static analysis,
not yet runtime-reproduced (Intel Atom ISP hardware required).
Doruk Tan Ozturk (2):
media: atomisp: validate sizeimage against the allocated frame in
framebuffer-to-CSS
media: atomisp: bound DVS 6-axis table dimensions to the allocated
config
.../staging/media/atomisp/pci/atomisp_cmd.c | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
--
2.43.0
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS
2026-06-26 16:40 [PATCH 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths Doruk Tan Ozturk
@ 2026-06-26 16:40 ` Doruk Tan Ozturk
2026-06-26 17:12 ` Dan Carpenter
2026-06-26 16:40 ` [PATCH 2/2] media: atomisp: bound DVS 6-axis table dimensions to the allocated config Doruk Tan Ozturk
1 sibling, 1 reply; 4+ messages in thread
From: Doruk Tan Ozturk @ 2026-06-26 16:40 UTC (permalink / raw)
To: Hans de Goede, Andy Shevchenko, Mauro Carvalho Chehab,
Greg Kroah-Hartman
Cc: Sakari Ailus, linux-media, linux-staging, linux-kernel,
Doruk Tan Ozturk
atomisp_v4l2_framebuffer_to_css_frame() allocates the CSS frame
(res->data) from arg->fmt.{width,height,format} but then
hmm_store()s arg->fmt.sizeimage bytes into it. sizeimage is an
independent user-controlled v4l2_pix_format field with no cross-check, so
a sizeimage larger than the allocated frame overflows res->data (ISP/hmm
memory). Reject sizeimage > res->data_bytes before the store.
Found by static analysis; not yet runtime-reproduced (Intel Atom ISP
hardware required).
Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
drivers/staging/media/atomisp/pci/atomisp_cmd.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
index 6cd500d9f..966b84402 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
@@ -3331,6 +3331,16 @@ atomisp_v4l2_framebuffer_to_css_frame(const struct v4l2_framebuffer *arg,
goto err;
}
+ /*
+ * sizeimage is a separate user-controlled v4l2_pix_format field; the
+ * frame above was sized from width/height/format. Reject a sizeimage
+ * that would overflow the allocated frame in the hmm_store() below.
+ */
+ if (arg->fmt.sizeimage > res->data_bytes) {
+ ret = -EINVAL;
+ goto err;
+ }
+
tmp_buf = vmalloc(arg->fmt.sizeimage);
if (!tmp_buf) {
ret = -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS
2026-06-26 16:40 ` [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS Doruk Tan Ozturk
@ 2026-06-26 17:12 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2026-06-26 17:12 UTC (permalink / raw)
To: Doruk Tan Ozturk
Cc: Hans de Goede, Andy Shevchenko, Mauro Carvalho Chehab,
Greg Kroah-Hartman, Sakari Ailus, linux-media, linux-staging,
linux-kernel
On Fri, Jun 26, 2026 at 06:40:41PM +0200, Doruk Tan Ozturk wrote:
> atomisp_v4l2_framebuffer_to_css_frame() allocates the CSS frame
> (res->data) from arg->fmt.{width,height,format} but then
> hmm_store()s arg->fmt.sizeimage bytes into it. sizeimage is an
> independent user-controlled v4l2_pix_format field with no cross-check, so
> a sizeimage larger than the allocated frame overflows res->data (ISP/hmm
> memory). Reject sizeimage > res->data_bytes before the store.
>
> Found by static analysis; not yet runtime-reproduced (Intel Atom ISP
> hardware required).
>
> Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
>
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
We need a Fixes tag for all three of these patches.
> ---
> drivers/staging/media/atomisp/pci/atomisp_cmd.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> index 6cd500d9f..966b84402 100644
> --- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> +++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> @@ -3331,6 +3331,16 @@ atomisp_v4l2_framebuffer_to_css_frame(const struct v4l2_framebuffer *arg,
> goto err;
> }
>
> + /*
> + * sizeimage is a separate user-controlled v4l2_pix_format field; the
> + * frame above was sized from width/height/format. Reject a sizeimage
> + * that would overflow the allocated frame in the hmm_store() below.
> + */
> + if (arg->fmt.sizeimage > res->data_bytes) {
> + ret = -EINVAL;
> + goto err;
> + }
The math to calculate the size from width/height in
frame_init_raw_single_plane() and similar functions looks like it
has integer overflow bugs as well.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 2/2] media: atomisp: bound DVS 6-axis table dimensions to the allocated config
2026-06-26 16:40 [PATCH 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths Doruk Tan Ozturk
2026-06-26 16:40 ` [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS Doruk Tan Ozturk
@ 2026-06-26 16:40 ` Doruk Tan Ozturk
1 sibling, 0 replies; 4+ messages in thread
From: Doruk Tan Ozturk @ 2026-06-26 16:40 UTC (permalink / raw)
To: Hans de Goede, Andy Shevchenko, Mauro Carvalho Chehab,
Greg Kroah-Hartman
Cc: Sakari Ailus, linux-media, linux-staging, linux-kernel,
Doruk Tan Ozturk
atomisp_cp_dvs_6axis_config() copies the DVS 6-axis coordinate tables with
the user-supplied width/height (t_6axis_config / source_6axis_config) as
the copy_from_compatible() length, while the destination is allocated by
ia_css_dvs2_6axis_config_allocate() from the stream grid dimensions. User
dimensions larger than the allocated grid overflow the xcoords/ycoords
buffers. Reject user dimensions that exceed the allocated config in both
the ISP2401 and ISP2400 paths before the copies.
Found by static analysis; not yet runtime-reproduced (Intel Atom ISP
hardware required).
Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
drivers/staging/media/atomisp/pci/atomisp_cmd.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
index 966b84402..b04d3f3ca 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
@@ -2632,6 +2632,14 @@ int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd,
dvs_6axis_config->exp_id = t_6axis_config.exp_id;
+ if (t_6axis_config.width_y > dvs_6axis_config->width_y ||
+ t_6axis_config.height_y > dvs_6axis_config->height_y ||
+ t_6axis_config.width_uv > dvs_6axis_config->width_uv ||
+ t_6axis_config.height_uv > dvs_6axis_config->height_uv) {
+ ret = -EINVAL;
+ goto error;
+ }
+
if (copy_from_compatible(dvs_6axis_config->xcoords_y,
t_6axis_config.xcoords_y,
t_6axis_config.width_y *
@@ -2684,6 +2692,14 @@ int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd,
dvs_6axis_config->exp_id = source_6axis_config->exp_id;
+ if (source_6axis_config->width_y > dvs_6axis_config->width_y ||
+ source_6axis_config->height_y > dvs_6axis_config->height_y ||
+ source_6axis_config->width_uv > dvs_6axis_config->width_uv ||
+ source_6axis_config->height_uv > dvs_6axis_config->height_uv) {
+ ret = -EINVAL;
+ goto error;
+ }
+
if (copy_from_compatible(dvs_6axis_config->xcoords_y,
source_6axis_config->xcoords_y,
source_6axis_config->width_y *
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-26 17:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26 16:40 [PATCH 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths Doruk Tan Ozturk
2026-06-26 16:40 ` [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS Doruk Tan Ozturk
2026-06-26 17:12 ` Dan Carpenter
2026-06-26 16:40 ` [PATCH 2/2] media: atomisp: bound DVS 6-axis table dimensions to the allocated config Doruk Tan Ozturk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.