From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
To: Vedang Nagar <quic_vnagar@quicinc.com>,
Stanimir Varbanov <stanimir.k.varbanov@gmail.com>,
Vikash Garodia <quic_vgarodia@quicinc.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] media: venus: fix OOB access issue while reading sequence changed events
Date: Fri, 17 Jan 2025 10:32:17 +0000 [thread overview]
Message-ID: <0eab7323-ce86-40c7-9737-06eedcdf492d@linaro.org> (raw)
In-Reply-To: <7a782ea9-f227-4f46-a757-b4b69f5c287f@quicinc.com>
On 17/01/2025 08:39, Vedang Nagar wrote:
> Hi Bryan,
>
> On 1/6/2025 5:36 AM, Bryan O'Donoghue wrote:
>> On 04/01/2025 05:41, Vedang Nagar wrote:
>>> num_properties_changed is being read from the message queue but is
>>> not validated. Value can be corrupted from the firmware leading to
>>> OOB read access issues. Add fix to read the size of the packets as
>>> well and crosscheck before reading from the packet.
>>>
>>> Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
>> Please see Vikash's series on this.
>>
>> https://lore.kernel.org/linux-arm-msm/20241128-venus_oob_2-v2-2-483ae0a464b8@quicinc.com/
>>
>> it seems to have exactly the same patch title ?
>>
>> Is this patch supposed to be a follow-up to that patch ?
>>
>> https://lore.kernel.org/linux-arm-msm/20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com/
>>
>> Expecting to see a V3 of the above. If the intention is to supersede that patch or some of those patches you should make clear here.
> No, this is a different series having OOB fixes similar to ones posted by Vikash.
OK, please use a different patch title.
I understand the motive to repeat the patch title but, its confusing. If
you added some text to make the OOB more specific then it would be
possible to differentiate between.
"fix OOB access issue while reading sequence changed events 'in some
location' || 'on some path'"
>>
>> On the switch statement I'd have two comments.
>>
>> #1 is everything really a " -= sizeof(u32)" ?
> Yes, it's everytime " -= sizeof(u32) " since the first the first word read is ptype of size u32
>> #2 if so then this ought to be factored out into a function
>> => functional decomposition
> Sure, will fix this with decomposition into functions.
Is firmware sending a change event or updating a packet already in memory ?
What is the nature of the change event and how do you guarantee the
second read is valid when the first read can be considered invalid ?
i.e.
- Read - derive read value X.
- Do some stuff.
- Read - again to make sure length value is still X.
- Do all sorts of other processing.
At which point is the sequence considered complete and the data
considered "locked" and valid ?
What happens if you get a subsequent change event once this procedure
has completed ?
---
bod
next prev parent reply other threads:[~2025-01-17 10:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-04 5:41 [PATCH 0/2] venus driver fixes to avoid possible OOB read access Vedang Nagar
2025-01-04 5:41 ` [PATCH 1/2] media: venus: fix OOB read issue due to double read Vedang Nagar
2025-01-05 23:58 ` Bryan O'Donoghue
2025-01-17 8:39 ` Vedang Nagar
2025-01-17 10:25 ` Bryan O'Donoghue
2025-01-29 5:00 ` Vedang Nagar
2025-01-04 5:41 ` [PATCH 2/2] media: venus: fix OOB access issue while reading sequence changed events Vedang Nagar
2025-01-06 0:06 ` Bryan O'Donoghue
2025-01-17 8:39 ` Vedang Nagar
2025-01-17 10:32 ` Bryan O'Donoghue [this message]
2025-01-29 5:01 ` Vedang Nagar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0eab7323-ce86-40c7-9737-06eedcdf492d@linaro.org \
--to=bryan.odonoghue@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=quic_vgarodia@quicinc.com \
--cc=quic_vnagar@quicinc.com \
--cc=stanimir.k.varbanov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox