From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
To: Vedang Nagar <quic_vnagar@quicinc.com>,
Stanimir Varbanov <stanimir.k.varbanov@gmail.com>,
Vikash Garodia <quic_vgarodia@quicinc.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] media: venus: fix OOB read issue due to double read
Date: Fri, 17 Jan 2025 10:25:18 +0000 [thread overview]
Message-ID: <4cfc1fe1-2fab-4256-9ce2-b4a0aad1069e@linaro.org> (raw)
In-Reply-To: <13259345-02b0-47ff-94a8-530a17c50b97@quicinc.com>
On 17/01/2025 08:39, Vedang Nagar wrote:
> Below is the first read where dwords is being validated properly with the checks.
> dwords = *rd_ptr >> 2;
>
> Whereas the same address is being read for the second time:
> memcpy(pkt, rd_ptr, dwords << 2);
>
> For the second read the value is not validated which may get updated from the firmware
> leading to incorrect memcpy into the packet and may lead to OOB read access while accessing
> the packet.
So you are saying that pkt points to memory that the firmware and host
can simultaneously access.
The question is - if the length value can change between one read and
another read - how do you trust the _content_ of the packet ?
Surely the right thing to do is to take a _copy_ of the entire frame and
act on that frame exclusively on the host side ?
If I receive a frame, and read length X.
Then I need to re-read that frame because length may now by X+3.
This implies the _data_ in the frame has changed.
What exactly is the valid lifetime of this data from HFI RX interrupt ?
---
bod
next prev parent reply other threads:[~2025-01-17 10:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-04 5:41 [PATCH 0/2] venus driver fixes to avoid possible OOB read access Vedang Nagar
2025-01-04 5:41 ` [PATCH 1/2] media: venus: fix OOB read issue due to double read Vedang Nagar
2025-01-05 23:58 ` Bryan O'Donoghue
2025-01-17 8:39 ` Vedang Nagar
2025-01-17 10:25 ` Bryan O'Donoghue [this message]
2025-01-29 5:00 ` Vedang Nagar
2025-01-04 5:41 ` [PATCH 2/2] media: venus: fix OOB access issue while reading sequence changed events Vedang Nagar
2025-01-06 0:06 ` Bryan O'Donoghue
2025-01-17 8:39 ` Vedang Nagar
2025-01-17 10:32 ` Bryan O'Donoghue
2025-01-29 5:01 ` Vedang Nagar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4cfc1fe1-2fab-4256-9ce2-b4a0aad1069e@linaro.org \
--to=bryan.odonoghue@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=quic_vgarodia@quicinc.com \
--cc=quic_vnagar@quicinc.com \
--cc=stanimir.k.varbanov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox