From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
Cc: Florian Fainelli <florian.fainelli@broadcom.com>,
bcm-kernel-feedback-list@broadcom.com,
linux-staging@lists.linux.dev,
linux-rpi-kernel@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
linux-media@vger.kernel.org,
Dave Stevenson <dave.stevenson@raspberrypi.com>,
kernel-list@raspberrypi.com
Subject: Re: [PATCH 1/4] staging: vc04_services: vchiq-mmal: fix OOB array access in event_to_host_cb()
Date: Sun, 29 Mar 2026 08:35:36 +0200 [thread overview]
Message-ID: <2026032936-deniable-visa-2459@gregkh> (raw)
In-Reply-To: <20260329062229.493430-2-sebasjosue84@gmail.com>
On Sun, Mar 29, 2026 at 12:21:11AM -0600, Sebastian Josue Alba Vives wrote:
> From: Sebastián Alba Vives <sebasjosue84@gmail.com>
>
> event_to_host_cb() uses msg->u.event_to_host.client_component as an
> index into the instance->component[] array (size VCHIQ_MMAL_MAX_COMPONENTS
> = 64) without any bounds validation. The client_component value comes
> from the VideoCore GPU firmware via VCHIQ message passing.
>
> A malicious or buggy GPU firmware could send a crafted
> MMAL_MSG_TYPE_EVENT_TO_HOST message with client_component >= 64 (or
> negative), causing an out-of-bounds array access in kernel memory. This
> results in reading/dereferencing a bogus vchiq_mmal_component structure
> from memory beyond the array, which can lead to kernel crashes or
> potentially arbitrary kernel memory access.
The kernel trusts the hardware the driver is bound to, so this shouldn't
be happening ever, right?
>
> Add a bounds check on comp_idx before using it as an array index.
> Move the component pointer assignment after the validation.
>
> Fixes: b18ee53ad297 ("staging: bcm2835: Break MMAL support out from camera")
> Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
No cc: stable?
> ---
> drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
> index d36ad71cc..4772126d7 100644
> --- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
> +++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
> @@ -477,12 +477,19 @@ static void event_to_host_cb(struct vchiq_mmal_instance *instance,
> struct mmal_msg *msg, u32 msg_len)
> {
> int comp_idx = msg->u.event_to_host.client_component;
> - struct vchiq_mmal_component *component =
> - &instance->component[comp_idx];
> + struct vchiq_mmal_component *component;
> struct vchiq_mmal_port *port = NULL;
> struct mmal_msg_context *msg_context;
> u32 port_num = msg->u.event_to_host.port_num;
>
> + if (comp_idx < 0 || comp_idx >= VCHIQ_MMAL_MAX_COMPONENTS) {
> + pr_err("%s: component index %d out of range\n",
> + __func__, comp_idx);
dev_err() is best, right?
And are you going to allow a malicious hardware device to spam the
kernel log? :)
thanks,
greg k-h
next prev parent reply other threads:[~2026-03-29 6:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 6:21 [PATCH 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 1/4] staging: vc04_services: vchiq-mmal: fix OOB array access in event_to_host_cb() Sebastian Josue Alba Vives
2026-03-29 6:35 ` Greg Kroah-Hartman [this message]
2026-03-29 7:06 ` Sebastián Alba
2026-03-29 6:21 ` [PATCH 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive() Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set() Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 1/4] staging: vc04_services: vchiq-mmal: validate component index in event_to_host_cb() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026032936-deniable-visa-2459@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=dave.stevenson@raspberrypi.com \
--cc=florian.fainelli@broadcom.com \
--cc=kernel-list@raspberrypi.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rpi-kernel@lists.infradead.org \
--cc=linux-staging@lists.linux.dev \
--cc=sebasjosue84@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox