From: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Florian Fainelli <florian.fainelli@broadcom.com>
Cc: bcm-kernel-feedback-list@broadcom.com,
linux-staging@lists.linux.dev,
linux-rpi-kernel@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
linux-media@vger.kernel.org,
"Dave Stevenson" <dave.stevenson@raspberrypi.com>,
kernel-list@raspberrypi.com,
"Sebastián Alba Vives" <sebasjosue84@gmail.com>,
stable@vger.kernel.org
Subject: [PATCH v2 1/4] staging: vc04_services: vchiq-mmal: validate component index in event_to_host_cb()
Date: Sun, 29 Mar 2026 01:15:39 -0600 [thread overview]
Message-ID: <20260329071616.507876-2-sebasjosue84@gmail.com> (raw)
In-Reply-To: <20260329071616.507876-1-sebasjosue84@gmail.com>
From: Sebastián Alba Vives <sebasjosue84@gmail.com>
event_to_host_cb() uses msg->u.event_to_host.client_component as an
index into the instance->component[] array (size VCHIQ_MMAL_MAX_COMPONENTS
= 64) without bounds validation. While the kernel generally trusts the
hardware it is bound to, a bounds check here hardens the driver against
potential firmware bugs that could otherwise cause an uncontrolled
out-of-bounds array access and kernel crash.
Add a bounds check on comp_idx before using it as an array index and
move the component pointer assignment after the validation. Use
pr_err_ratelimited() to avoid log flooding. Note: this file does not
currently have access to a struct device, so dev_err() is not available.
Cc: stable@vger.kernel.org
Fixes: b18ee53ad297 ("staging: bcm2835: Break MMAL support out from camera")
Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
---
drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
index d36ad71cc..9c6533f82 100644
--- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
@@ -477,12 +477,19 @@ static void event_to_host_cb(struct vchiq_mmal_instance *instance,
struct mmal_msg *msg, u32 msg_len)
{
int comp_idx = msg->u.event_to_host.client_component;
- struct vchiq_mmal_component *component =
- &instance->component[comp_idx];
+ struct vchiq_mmal_component *component;
struct vchiq_mmal_port *port = NULL;
struct mmal_msg_context *msg_context;
u32 port_num = msg->u.event_to_host.port_num;
+ if (comp_idx < 0 || comp_idx >= VCHIQ_MMAL_MAX_COMPONENTS) {
+ pr_err_ratelimited("%s: component index %d out of range\n",
+ __func__, comp_idx);
+ return;
+ }
+
+ component = &instance->component[comp_idx];
+
if (msg->u.buffer_from_host.drvbuf.magic == MMAL_MAGIC) {
pr_err("%s: MMAL_MSG_TYPE_BUFFER_TO_HOST with bad magic\n",
__func__);
--
2.43.0
next prev parent reply other threads:[~2026-03-29 7:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 6:21 [PATCH 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 1/4] staging: vc04_services: vchiq-mmal: fix OOB array access in event_to_host_cb() Sebastian Josue Alba Vives
2026-03-29 6:35 ` Greg Kroah-Hartman
2026-03-29 7:06 ` Sebastián Alba
2026-03-29 6:21 ` [PATCH 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive() Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set() Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 7:15 ` Sebastian Josue Alba Vives [this message]
2026-03-29 7:15 ` [PATCH v2 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260329071616.507876-2-sebasjosue84@gmail.com \
--to=sebasjosue84@gmail.com \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=dave.stevenson@raspberrypi.com \
--cc=florian.fainelli@broadcom.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-list@raspberrypi.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rpi-kernel@lists.infradead.org \
--cc=linux-staging@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox