From: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Florian Fainelli <florian.fainelli@broadcom.com>
Cc: bcm-kernel-feedback-list@broadcom.com,
linux-staging@lists.linux.dev,
linux-rpi-kernel@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
linux-media@vger.kernel.org,
"Dave Stevenson" <dave.stevenson@raspberrypi.com>,
kernel-list@raspberrypi.com,
"Sebastián Alba Vives" <sebasjosue84@gmail.com>,
stable@vger.kernel.org
Subject: [PATCH v2 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set()
Date: Sun, 29 Mar 2026 01:15:41 -0600 [thread overview]
Message-ID: <20260329071616.507876-4-sebasjosue84@gmail.com> (raw)
In-Reply-To: <20260329071616.507876-1-sebasjosue84@gmail.com>
From: Sebastián Alba Vives <sebasjosue84@gmail.com>
port_parameter_set() copies value_size bytes from the caller-supplied
value buffer into the stack-allocated struct mmal_msg's
port_parameter_set.value field, which is u32[96] (384 bytes). There is
no bounds check on value_size before the memcpy.
While current in-tree callers pass small fixed-size structures, the
function is exported via EXPORT_SYMBOL_GPL and accessible to any GPL
kernel module. A caller passing value_size > 384 would overflow the
stack-allocated mmal_msg structure.
Add a bounds check rejecting value_size larger than the value field.
Cc: stable@vger.kernel.org
Fixes: b18ee53ad297 ("staging: bcm2835: Break MMAL support out from camera")
Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
---
drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
index 44e5246f1..18e805b92 100644
--- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
@@ -1361,6 +1361,14 @@ static int port_parameter_set(struct vchiq_mmal_instance *instance,
struct mmal_msg *rmsg;
struct vchiq_header *rmsg_handle;
+ if (value_size >
+ sizeof(m.u.port_parameter_set.value)) {
+ pr_err_ratelimited("port_parameter_set: value_size %u exceeds max %zu\n",
+ value_size,
+ sizeof(m.u.port_parameter_set.value));
+ return -EINVAL;
+ }
+
m.h.type = MMAL_MSG_TYPE_PORT_PARAMETER_SET;
m.u.port_parameter_set.component_handle = port->component->handle;
--
2.43.0
next prev parent reply other threads:[~2026-03-29 7:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 6:21 [PATCH 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 1/4] staging: vc04_services: vchiq-mmal: fix OOB array access in event_to_host_cb() Sebastian Josue Alba Vives
2026-03-29 6:35 ` Greg Kroah-Hartman
2026-03-29 7:06 ` Sebastián Alba
2026-03-29 6:21 ` [PATCH 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive() Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set() Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 1/4] staging: vc04_services: vchiq-mmal: validate component index in event_to_host_cb() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive() Sebastian Josue Alba Vives
2026-03-29 7:15 ` Sebastian Josue Alba Vives [this message]
2026-03-29 7:15 ` [PATCH v2 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260329071616.507876-4-sebasjosue84@gmail.com \
--to=sebasjosue84@gmail.com \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=dave.stevenson@raspberrypi.com \
--cc=florian.fainelli@broadcom.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-list@raspberrypi.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rpi-kernel@lists.infradead.org \
--cc=linux-staging@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox