* [PATCH 00/13] Media: fix several issues on drivers
@ 2024-10-16 10:22 Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows Mauro Carvalho Chehab
0 siblings, 1 reply; 3+ messages in thread
From: Mauro Carvalho Chehab @ 2024-10-16 10:22 UTC (permalink / raw)
Cc: Mauro Carvalho Chehab, Krzysztof Hałasa,
Andrzej Pietrasiewicz, Hans Verkuil, Jacek Anaszewski,
Martin Tuma, Mauro Carvalho Chehab, Sakari Ailus,
Sylwester Nawrocki, linux-arm-kernel, linux-kernel, linux-media,
linux-staging
There are a number of issues that aren't passing on some static analyzer
checks.
Address some of them.
Mauro Carvalho Chehab (13):
media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
media: v4l2-tpg: prevent the risk of a division by zero
media: dvbdev: prevent the risk of out of memory access
media: dvb_frontend: don't play tricks with underflow values
media: mgb4: protect driver against spectre
media: av7110: fix a spectre vulnerability
media: s5p-jpeg: prevent buffer overflows
media: ar0521: don't overflow when checking PLL values
media: cx24116: prevent overflows on SNR calculus
media: adv7604 prevent underflow condition when reporting colorspace
media: stb0899_algo: initialize cfr before using it
media: cec: extron-da-hd-4k-plus: don't use -1 as an error code
media: pulse8-cec: fix data timestamp at pulse8_setup()
.../extron-da-hd-4k-plus.c | 6 ++---
drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +-
drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 +++
drivers/media/dvb-core/dvb_frontend.c | 4 +--
drivers/media/dvb-core/dvbdev.c | 17 ++++++++++--
drivers/media/dvb-frontends/cx24116.c | 7 ++++-
drivers/media/dvb-frontends/stb0899_algo.c | 2 +-
drivers/media/i2c/adv7604.c | 26 ++++++++++++-------
drivers/media/i2c/ar0521.c | 4 +--
drivers/media/pci/mgb4/mgb4_cmt.c | 2 ++
.../platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++-----
drivers/media/v4l2-core/v4l2-ctrls-api.c | 10 ++++---
drivers/staging/media/av7110/av7110.h | 4 ++-
drivers/staging/media/av7110/av7110_ca.c | 25 ++++++++++++------
14 files changed, 90 insertions(+), 39 deletions(-)
--
2.47.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows
2024-10-16 10:22 [PATCH 00/13] Media: fix several issues on drivers Mauro Carvalho Chehab
@ 2024-10-16 10:22 ` Mauro Carvalho Chehab
2024-10-17 10:34 ` Jacek Anaszewski
0 siblings, 1 reply; 3+ messages in thread
From: Mauro Carvalho Chehab @ 2024-10-16 10:22 UTC (permalink / raw)
Cc: Mauro Carvalho Chehab, Andrzej Pietrasiewicz, Hans Verkuil,
Jacek Anaszewski, Mauro Carvalho Chehab, Sylwester Nawrocki,
linux-arm-kernel, linux-kernel, linux-media, stable
The current logic allows word to be less than 2. If this happens,
there will be buffer overflows. Add extra checks to prevent it.
While here, remove an unused word = 0 assignment.
Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
---
.../media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
index d2c4a0178b3c..1db4609b3557 100644
--- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
+++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
@@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx)
(unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
jpeg_buffer.curr = 0;
- word = 0;
-
if (get_word_be(&jpeg_buffer, &word))
return;
- jpeg_buffer.size = (long)word - 2;
+
+ if (word < 2)
+ jpeg_buffer.size = 0;
+ else
+ jpeg_buffer.size = (long)word - 2;
+
jpeg_buffer.data += 2;
jpeg_buffer.curr = 0;
@@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_buffer *buf, unsigned int *word)
if (byte == -1)
return -1;
*word = (unsigned int)byte | temp;
+
return 0;
}
@@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
if (get_word_be(&jpeg_buffer, &word))
break;
length = (long)word - 2;
- if (!length)
+ if (length <= 0)
return false;
sof = jpeg_buffer.curr; /* after 0xffc0 */
sof_len = length;
@@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
if (get_word_be(&jpeg_buffer, &word))
break;
length = (long)word - 2;
- if (!length)
+ if (length <= 0)
return false;
if (n_dqt >= S5P_JPEG_MAX_MARKER)
return false;
@@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
if (get_word_be(&jpeg_buffer, &word))
break;
length = (long)word - 2;
- if (!length)
+ if (length <= 0)
return false;
if (n_dht >= S5P_JPEG_MAX_MARKER)
return false;
@@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
if (get_word_be(&jpeg_buffer, &word))
break;
length = (long)word - 2;
+ /* No need to check underflows as skip() does it */
skip(&jpeg_buffer, length);
break;
}
--
2.47.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows
2024-10-16 10:22 ` [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows Mauro Carvalho Chehab
@ 2024-10-17 10:34 ` Jacek Anaszewski
0 siblings, 0 replies; 3+ messages in thread
From: Jacek Anaszewski @ 2024-10-17 10:34 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Andrzej Pietrasiewicz, Hans Verkuil, Sylwester Nawrocki,
linux-arm-kernel, linux-kernel, linux-media, stable
Hi Mauro,
On 10/16/24 12:22, Mauro Carvalho Chehab wrote:
> The current logic allows word to be less than 2. If this happens,
> there will be buffer overflows. Add extra checks to prevent it.
>
> While here, remove an unused word = 0 assignment.
>
> Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
> Cc: stable@vger.kernel.org
> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> ---
> .../media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
> index d2c4a0178b3c..1db4609b3557 100644
> --- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
> +++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
> @@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx)
> (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
> jpeg_buffer.curr = 0;
>
> - word = 0;
> -
> if (get_word_be(&jpeg_buffer, &word))
> return;
> - jpeg_buffer.size = (long)word - 2;
> +
> + if (word < 2)
> + jpeg_buffer.size = 0;
> + else
> + jpeg_buffer.size = (long)word - 2;
> +
> jpeg_buffer.data += 2;
> jpeg_buffer.curr = 0;
>
> @@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_buffer *buf, unsigned int *word)
> if (byte == -1)
> return -1;
> *word = (unsigned int)byte | temp;
> +
> return 0;
> }
>
> @@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
> if (get_word_be(&jpeg_buffer, &word))
> break;
> length = (long)word - 2;
> - if (!length)
> + if (length <= 0)
> return false;
> sof = jpeg_buffer.curr; /* after 0xffc0 */
> sof_len = length;
> @@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
> if (get_word_be(&jpeg_buffer, &word))
> break;
> length = (long)word - 2;
> - if (!length)
> + if (length <= 0)
> return false;
> if (n_dqt >= S5P_JPEG_MAX_MARKER)
> return false;
> @@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
> if (get_word_be(&jpeg_buffer, &word))
> break;
> length = (long)word - 2;
> - if (!length)
> + if (length <= 0)
> return false;
> if (n_dht >= S5P_JPEG_MAX_MARKER)
> return false;
> @@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result,
> if (get_word_be(&jpeg_buffer, &word))
> break;
> length = (long)word - 2;
> + /* No need to check underflows as skip() does it */
> skip(&jpeg_buffer, length);
> break;
> }
Seems reasonable.
Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
--
Best regards,
Jacek Anaszewski
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-10-17 11:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-16 10:22 [PATCH 00/13] Media: fix several issues on drivers Mauro Carvalho Chehab
2024-10-16 10:22 ` [PATCH 07/13] media: s5p-jpeg: prevent buffer overflows Mauro Carvalho Chehab
2024-10-17 10:34 ` Jacek Anaszewski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).