From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7093353360; Tue, 26 Aug 2025 14:40:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756219242; cv=none; b=mMJKHnZYLdWACDOP2IeNmybGGcolrtH7OI66nkUIva9Cw1AiFEzz6JEcRtiVMh9xpsbZis/rsUMyuBYhDrenestiiIoLVB+TZed3YAF8+oz2fK/TWYZsoQijjyN8Cr2CALV1VYkWoa34OuLGySxr9kMCyPcCKtdIOVXL52++tfc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756219242; c=relaxed/simple; bh=y7ErCXkuP6m5ultr5E8aADI3l3damcNGGLw02EILQLk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=u3pUUlTcRCDQ6/zMnS17DLpU2JpQZL8/vlqSlXOH5GV7mr+z0PpxMgsPxCqAatXkmZbm7rt7vhRXGe5vxkrgZCLYNWSVnXnBsrFklD+2Lh2RjdAaD9WMPzcQyTMQZVnpVxgIiQzG/VVl84VBw2YC0H43ITDOXYm58pq7R7pQzvY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=YvlsO8hf; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="YvlsO8hf" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6E99DC4CEF1; Tue, 26 Aug 2025 14:40:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1756219242; bh=y7ErCXkuP6m5ultr5E8aADI3l3damcNGGLw02EILQLk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YvlsO8hfDtAl8Q+/HiY0QhyJ6f8IIw79po8H4VGkMkfGVp7TmNtkLY+33OMkM8kVq LnmXfvIjpnay/tSFrNu8SPEoD/SrXXvs5m2ng7Er/HMBLlZGYtSG9yVoNqryzQ810Y moNMLI7tgY39puIJjcV1PZYFF5WO64ZRz1AjmI58= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Vedang Nagar , Dikshita Agarwal , Bryan ODonoghue , Bryan ODonoghue , Hans Verkuil Subject: [PATCH 5.4 307/403] media: venus: Add a check for packet size after reading from shared memory Date: Tue, 26 Aug 2025 13:10:33 +0200 Message-ID: <20250826110915.295734298@linuxfoundation.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250826110905.607690791@linuxfoundation.org> References: <20250826110905.607690791@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Vedang Nagar commit 49befc830daa743e051a65468c05c2ff9e8580e6 upstream. Add a check to ensure that the packet size does not exceed the number of available words after reading the packet header from shared memory. This ensures that the size provided by the firmware is safe to process and prevent potential out-of-bounds memory access. Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") Cc: stable@vger.kernel.org Signed-off-by: Vedang Nagar Co-developed-by: Dikshita Agarwal Signed-off-by: Dikshita Agarwal Reviewed-by: Bryan O'Donoghue Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman --- drivers/media/platform/qcom/venus/hfi_venus.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/media/platform/qcom/venus/hfi_venus.c +++ b/drivers/media/platform/qcom/venus/hfi_venus.c @@ -240,6 +240,7 @@ static int venus_write_queue(struct venu static int venus_read_queue(struct venus_hfi_device *hdev, struct iface_queue *queue, void *pkt, u32 *tx_req) { + struct hfi_pkt_hdr *pkt_hdr = NULL; struct hfi_queue_header *qhdr; u32 dwords, new_rd_idx; u32 rd_idx, wr_idx, type, qsize; @@ -305,6 +306,9 @@ static int venus_read_queue(struct venus memcpy(pkt, rd_ptr, len); memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2); } + pkt_hdr = (struct hfi_pkt_hdr *)(pkt); + if ((pkt_hdr->size >> 2) != dwords) + return -EINVAL; } else { /* bad packet received, dropping */ new_rd_idx = qhdr->write_idx;