Re: [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Vikash Garodia <quic_vgarodia@quicinc.com>
To: Bryan O'Donoghue <bryan.odonoghue@linaro.org>,
	Dikshita Agarwal <quic_dikshita@quicinc.com>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Stanimir Varbanov <stanimir.varbanov@linaro.org>,
	Hans Verkuil <hans.verkuil@cisco.com>
Cc: <linux-media@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>,
	Vedang Nagar <quic_vnagar@quicinc.com>
Subject: Re: [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory
Date: Thu, 15 May 2025 23:55:57 +0530	[thread overview]
Message-ID: <13887de6-4f84-9d0c-bd48-de6f0472d9ef@quicinc.com> (raw)
In-Reply-To: <767909a0-70ea-47d3-b6bf-b57e5d7e7c5c@linaro.org>



On 5/15/2025 11:21 PM, Bryan O'Donoghue wrote:
> On 15/05/2025 14:23, Vikash Garodia wrote:
>>> Re-reading to see if the firmware wrote new bad data to the transmitted packet
>>> in-memory is not a fix before or after the memcpy() because the time you do that
>>> re-read is not fixed - locked wrt the freerunning firmware.
>> It would be more meaningful if you can suggest the vulnerability you see with
>> the changes suggested i.e adding the check in local packet against the size read
>> from shared queue. Based on that we can see how to fix it, otherwise this
>> discussion in not leading to any conclusion.
> 
> So to re-iterate.
> 
> TOCTOU is this
> 
> if (*ptr_val >> 2 >= MAX)
>     return -EBAD;
> 
> memcpy(dst, src, *ptr_val >> 2);
> 
> Here a malicious actor can change *ptr_val between our check and our use.
> 
> not
> 
> data_value = *ptr_val >> 2;
> 
> if (data_value >= MAX)
>     return -EBAD;
> 
> memcpy(dst, src, data_value);
> 
> Here the taking a copy of the value and subsequently relying on that value
> mitigates TOCTOU, because the value *ptr_val is latched - read into a local
> variable which cannot be manipulated from an outside agent i.e. venus firmware.
> 
> The example in the commit log is not a TOCTOU for that reason.
> 
> Adding an additional check _after_ the memcpy() seems silly to me because
> 
> data_value = *ptr_val >> 2;
> 
> if (data_value >= MAX)
>     return -EBAD;
> 
> memcpy(dst, src, data_value);
> 
> // This statement could be false
> if (data_value != *ptr_value >> 2)
>     return -EBAD;
> 
> // while this subsequent statement is true
> if (data_value != *ptr_value >> 2)
>     return -EBAD;
> 
Check the pseudo code which i proposed earlier in this conversation [1]. It does
not rely on ptr_val at all to check the sanity after memcpy.

[1] https://lore.kernel.org/all/0c50c24a-35fa-acfb-a807-b4ed5394506b@quicinc.com/
> And in any case this is a post-use sanity check not a mitigation for TOCTOU
> which we don't have.
> 
> ---
> bod

next prev parent reply	other threads:[~2025-05-15 18:26 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-14 13:38 [PATCH v3 0/2] venus driver fixes for vulnerabilities due to unexpected firmware payload Dikshita Agarwal
2025-05-14 13:38 ` [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory Dikshita Agarwal
2025-05-15  9:17   ` Bryan O'Donoghue
2025-05-15  9:56     ` Vikash Garodia
2025-05-15 10:28       ` Bryan O'Donoghue
2025-05-15 12:11         ` Vikash Garodia
2025-05-15 12:47           ` Bryan O'Donoghue
2025-05-15 13:23             ` Vikash Garodia
2025-05-15 17:51               ` Bryan O'Donoghue
2025-05-15 18:25                 ` Vikash Garodia [this message]
2025-05-16 10:11                   ` Bryan O'Donoghue
2025-05-14 13:38 ` [PATCH v3 2/2] media: venus: Fix OOB read due to missing payload bound check Dikshita Agarwal
2025-05-17 21:41   ` Bryan O'Donoghue
2025-05-18  3:56   ` Vikash Garodia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=13887de6-4f84-9d0c-bd48-de6f0472d9ef@quicinc.com \
    --to=quic_vgarodia@quicinc.com \
    --cc=bryan.odonoghue@linaro.org \
    --cc=hans.verkuil@cisco.com \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=quic_dikshita@quicinc.com \
    --cc=quic_vnagar@quicinc.com \
    --cc=stanimir.varbanov@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).