From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.rosalinux.ru (mail.rosalinux.ru [195.19.76.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1713028F6 for ; Fri, 23 Dec 2022 12:39:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.rosalinux.ru (Postfix) with ESMTP id 653E1514336F; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) Received: from mail.rosalinux.ru ([127.0.0.1]) by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id zHmHr3oxIjyB; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) Received: from localhost (localhost [127.0.0.1]) by mail.rosalinux.ru (Postfix) with ESMTP id 29CBB5143372; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.rosalinux.ru 29CBB5143372 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rosalinux.ru; s=1D4BB666-A0F1-11EB-A1A2-F53579C7F503; t=1671798562; bh=yXHtvnOMY5eVIVGTxUflX7Ih3TxR3ASy2jfItVNcKx0=; h=From:To:Date:Message-Id:MIME-Version; b=mENv6OhVuLIQrPrw/2HLDk2wzdDiC/04ajhR7J2pze+AgmfpM4WGB84ugvQZBrhlC tI9v9wczKUxpQuzfAM45pHf6VEIZVP6QtQQmBwNRCIryS505WiziHpgw5vUjPq6DoJ cIm1cgYLDy4w9ljwaVV3YVx9S+hu8ba+pbU+6P//mO6qQel5tfJYK0eH2ZmxgQoWOe 8H5sUaNQsKA5/W1qHe5IK9pYn98i+E3vge4G1Had/m0/VdvG661d4znd9dqhajOHno wlOaX3RiNO3aXfJSExySeYt64W0U9JvLn6hJWk/GWP7VWkx+4OCojyw3miErZRn9c7 cOvHbHin7s5nA== X-Virus-Scanned: amavisd-new at rosalinux.ru Received: from mail.rosalinux.ru ([127.0.0.1]) by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id LenJMnkku1Ky; Fri, 23 Dec 2022 15:29:22 +0300 (MSK) Received: from ubuntu.localdomain (unknown [144.206.93.23]) by mail.rosalinux.ru (Postfix) with ESMTPSA id B6378514336F; Fri, 23 Dec 2022 15:29:21 +0300 (MSK) From: Aleksandr Burakov To: Sakari Ailus , Bingbu Cao , Tianshu Qiu Cc: Aleksandr Burakov , linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] staging: media: ipu3: buffer overflow fix in imgu_map_node Date: Fri, 23 Dec 2022 15:30:25 +0300 Message-Id: <20221223123025.5948-1-a.burakov@rosalinux.ru> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable If imgu_node_map[i].css_queue is not equal to css_queue then "i" after the loop could be equal to IMGU_NODE_NUM that is more than the border value (IMGU_NODE_NUM - 1). So imgu_map_node() call may return IMGU_NODE_NUM that is more than expected value. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci d= evice driver") Signed-off-by: Aleksandr Burakov --- drivers/staging/media/ipu3/ipu3.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ip= u3/ipu3.c index 0c453b37f8c4..cb09eb3cc227 100644 --- a/drivers/staging/media/ipu3/ipu3.c +++ b/drivers/staging/media/ipu3/ipu3.c @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, u= nsigned int css_queue) for (i =3D 0; i < IMGU_NODE_NUM; i++) if (imgu_node_map[i].css_queue =3D=3D css_queue) break; - - return i; + if (i < IMGU_NODE_NUM) + return i; + else + return (IMGU_NODE_NUM - 1); } =20 /**************** Dummy buffers ****************/ --=20 2.25.1