From: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Florian Fainelli <florian.fainelli@broadcom.com>
Cc: bcm-kernel-feedback-list@broadcom.com,
linux-staging@lists.linux.dev,
linux-rpi-kernel@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
linux-media@vger.kernel.org,
"Dave Stevenson" <dave.stevenson@raspberrypi.com>,
kernel-list@raspberrypi.com,
"Sebastián Alba Vives" <sebasjosue84@gmail.com>
Subject: [PATCH 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive()
Date: Sun, 29 Mar 2026 00:21:12 -0600 [thread overview]
Message-ID: <20260329062229.493430-3-sebasjosue84@gmail.com> (raw)
In-Reply-To: <20260329062229.493430-1-sebasjosue84@gmail.com>
From: Sebastián Alba Vives <sebasjosue84@gmail.com>
inline_receive() copies payload data from a VCHIQ message into a
destination buffer using payload_in_message as the copy length, but
never validates that this length fits within the destination buffer
(msg_context->u.bulk.buffer->buffer_size).
While the caller validates payload_in_message <= MMAL_VC_SHORT_DATA
(128) to prevent overreading the source, the destination buffer may be
smaller than 128 bytes. This is inconsistent with bulk_receive() which
does check buffer_size before copying. A VideoCore GPU sending a short
inline payload to a smaller destination buffer would cause a heap buffer
overflow in kernel memory.
Add a bounds check against buffer_size and truncate the copy length if
it exceeds the destination capacity, matching the defensive pattern used
in bulk_receive().
Fixes: b18ee53ad297 ("staging: bcm2835: Break MMAL support out from camera")
Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
---
.../vc04_services/vchiq-mmal/mmal-vchiq.c | 20 ++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
index 4772126d7..e18471930 100644
--- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
@@ -368,12 +368,26 @@ static int inline_receive(struct vchiq_mmal_instance *instance,
struct mmal_msg *msg,
struct mmal_msg_context *msg_context)
{
+ u32 payload_len = msg->u.buffer_from_host.payload_in_message;
+
+ /*
+ * Ensure the payload fits within the destination buffer.
+ * The caller already validates payload_len <= MMAL_VC_SHORT_DATA
+ * against the source, but the destination buffer may be smaller.
+ * bulk_receive() performs this check; inline_receive() must too.
+ */
+ if (payload_len > msg_context->u.bulk.buffer->buffer_size) {
+ payload_len = msg_context->u.bulk.buffer->buffer_size;
+ pr_warn("inline_receive: payload truncated (%u > %lu)\n",
+ msg->u.buffer_from_host.payload_in_message,
+ msg_context->u.bulk.buffer->buffer_size);
+ }
+
memcpy(msg_context->u.bulk.buffer->buffer,
msg->u.buffer_from_host.short_data,
- msg->u.buffer_from_host.payload_in_message);
+ payload_len);
- msg_context->u.bulk.buffer_used =
- msg->u.buffer_from_host.payload_in_message;
+ msg_context->u.bulk.buffer_used = payload_len;
return 0;
}
--
2.43.0
next prev parent reply other threads:[~2026-03-29 6:22 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 6:21 [PATCH 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 1/4] staging: vc04_services: vchiq-mmal: fix OOB array access in event_to_host_cb() Sebastian Josue Alba Vives
2026-03-29 6:35 ` Greg Kroah-Hartman
2026-03-29 7:06 ` Sebastián Alba
2026-03-29 6:21 ` Sebastian Josue Alba Vives [this message]
2026-03-29 6:21 ` [PATCH 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set() Sebastian Josue Alba Vives
2026-03-29 6:21 ` [PATCH 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 0/4] staging: vc04_services: vchiq-mmal: fix multiple memory safety issues Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 1/4] staging: vc04_services: vchiq-mmal: validate component index in event_to_host_cb() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 2/4] staging: vc04_services: vchiq-mmal: add buffer size check in inline_receive() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 3/4] staging: vc04_services: vchiq-mmal: prevent stack overflow in port_parameter_set() Sebastian Josue Alba Vives
2026-03-29 7:15 ` [PATCH v2 4/4] staging: vc04_services: vchiq-mmal: fix integer underflow in port_parameter_get() Sebastian Josue Alba Vives
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260329062229.493430-3-sebasjosue84@gmail.com \
--to=sebasjosue84@gmail.com \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=dave.stevenson@raspberrypi.com \
--cc=florian.fainelli@broadcom.com \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-list@raspberrypi.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rpi-kernel@lists.infradead.org \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox