Re: [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS

[Dan Carpenter <error27@gmail.com>]

On Fri, Jun 26, 2026 at 06:40:41PM +0200, Doruk Tan Ozturk wrote:
> atomisp_v4l2_framebuffer_to_css_frame() allocates the CSS frame
> (res->data) from arg->fmt.{width,height,format} but then
> hmm_store()s arg->fmt.sizeimage bytes into it. sizeimage is an
> independent user-controlled v4l2_pix_format field with no cross-check, so
> a sizeimage larger than the allocated frame overflows res->data (ISP/hmm
> memory). Reject sizeimage > res->data_bytes before the store.
> 
> Found by static analysis; not yet runtime-reproduced (Intel Atom ISP
> hardware required).
> 
> Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
> 
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>

We need a Fixes tag for all three of these patches.

> ---
>  drivers/staging/media/atomisp/pci/atomisp_cmd.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> index 6cd500d9f..966b84402 100644
> --- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> +++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> @@ -3331,6 +3331,16 @@ atomisp_v4l2_framebuffer_to_css_frame(const struct v4l2_framebuffer *arg,
>  		goto err;
>  	}
>  
> +	/*
> +	 * sizeimage is a separate user-controlled v4l2_pix_format field; the
> +	 * frame above was sized from width/height/format. Reject a sizeimage
> +	 * that would overflow the allocated frame in the hmm_store() below.
> +	 */
> +	if (arg->fmt.sizeimage > res->data_bytes) {
> +		ret = -EINVAL;
> +		goto err;
> +	}

The math to calculate the size from width/height in
frame_init_raw_single_plane() and similar functions looks like it
has integer overflow bugs as well.

regards,
dan carpenter