* [PATCH] staging: media: ipu3: buffer overflow fix in imgu_map_node
@ 2022-12-23 12:30 Aleksandr Burakov
2023-01-02 13:41 ` Sakari Ailus
0 siblings, 1 reply; 3+ messages in thread
From: Aleksandr Burakov @ 2022-12-23 12:30 UTC (permalink / raw)
To: Sakari Ailus, Bingbu Cao, Tianshu Qiu
Cc: Aleksandr Burakov, linux-media, linux-staging, linux-kernel,
lvc-project
If imgu_node_map[i].css_queue is not equal to css_queue
then "i" after the loop could be equal to IMGU_NODE_NUM
that is more than the border value (IMGU_NODE_NUM - 1).
So imgu_map_node() call may return IMGU_NODE_NUM that is more
than expected value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci device driver")
Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
---
drivers/staging/media/ipu3/ipu3.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c
index 0c453b37f8c4..cb09eb3cc227 100644
--- a/drivers/staging/media/ipu3/ipu3.c
+++ b/drivers/staging/media/ipu3/ipu3.c
@@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue)
for (i = 0; i < IMGU_NODE_NUM; i++)
if (imgu_node_map[i].css_queue == css_queue)
break;
-
- return i;
+ if (i < IMGU_NODE_NUM)
+ return i;
+ else
+ return (IMGU_NODE_NUM - 1);
}
/**************** Dummy buffers ****************/
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] staging: media: ipu3: buffer overflow fix in imgu_map_node
2022-12-23 12:30 [PATCH] staging: media: ipu3: buffer overflow fix in imgu_map_node Aleksandr Burakov
@ 2023-01-02 13:41 ` Sakari Ailus
2023-01-04 13:33 ` Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: Sakari Ailus @ 2023-01-02 13:41 UTC (permalink / raw)
To: Aleksandr Burakov
Cc: Bingbu Cao, Tianshu Qiu, linux-media, linux-staging, linux-kernel,
lvc-project
Hi Aleksandr,
On Fri, Dec 23, 2022 at 03:30:25PM +0300, Aleksandr Burakov wrote:
> If imgu_node_map[i].css_queue is not equal to css_queue
> then "i" after the loop could be equal to IMGU_NODE_NUM
> that is more than the border value (IMGU_NODE_NUM - 1).
> So imgu_map_node() call may return IMGU_NODE_NUM that is more
> than expected value.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci device driver")
> Signed-off-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
> ---
> drivers/staging/media/ipu3/ipu3.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c
> index 0c453b37f8c4..cb09eb3cc227 100644
> --- a/drivers/staging/media/ipu3/ipu3.c
> +++ b/drivers/staging/media/ipu3/ipu3.c
> @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue)
> for (i = 0; i < IMGU_NODE_NUM; i++)
> if (imgu_node_map[i].css_queue == css_queue)
> break;
> -
> - return i;
> + if (i < IMGU_NODE_NUM)
> + return i;
> + else
> + return (IMGU_NODE_NUM - 1);
> }
>
> /**************** Dummy buffers ****************/
Thanks for the patch. It would require a bug elsewhere in the driver for
this to happen. If some handling for this case is added, it shouldn't be
hiding the issue.
One easy way could be to add WARN_ON() for this, and return some value (as
you do). Zero would do equally well.
I.e.
return WARN_ON(i >= IMGU_NODE_NUM) ? 0 : i;
--
Sakari Ailus
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] staging: media: ipu3: buffer overflow fix in imgu_map_node
2023-01-02 13:41 ` Sakari Ailus
@ 2023-01-04 13:33 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2023-01-04 13:33 UTC (permalink / raw)
To: Sakari Ailus
Cc: Aleksandr Burakov, Bingbu Cao, Tianshu Qiu, linux-media,
linux-staging, linux-kernel, lvc-project
On Mon, Jan 02, 2023 at 01:41:21PM +0000, Sakari Ailus wrote:
> > diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c
> > index 0c453b37f8c4..cb09eb3cc227 100644
> > --- a/drivers/staging/media/ipu3/ipu3.c
> > +++ b/drivers/staging/media/ipu3/ipu3.c
> > @@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue)
> > for (i = 0; i < IMGU_NODE_NUM; i++)
> > if (imgu_node_map[i].css_queue == css_queue)
> > break;
> > -
> > - return i;
> > + if (i < IMGU_NODE_NUM)
> > + return i;
> > + else
> > + return (IMGU_NODE_NUM - 1);
> > }
> >
> > /**************** Dummy buffers ****************/
>
> Thanks for the patch. It would require a bug elsewhere in the driver for
> this to happen. If some handling for this case is added, it shouldn't be
> hiding the issue.
>
> One easy way could be to add WARN_ON() for this, and return some value (as
> you do). Zero would do equally well.
>
> I.e.
>
> return WARN_ON(i >= IMGU_NODE_NUM) ? 0 : i;
>
I sent basically the same response but somehow my email never went
through... I'm using mutt with gmail Oauth2 and msmtp and so my
weekly(?) login has expired then something silently eats my outgoing
emails.
In this case the emails that I sent directly before and after went
through so it seems like my login wasn't expired or everything would
have been eaten.
This Oauth2 transition has just been so frustrating. Am I the only
person having trouble with it?
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-01-04 13:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-23 12:30 [PATCH] staging: media: ipu3: buffer overflow fix in imgu_map_node Aleksandr Burakov
2023-01-02 13:41 ` Sakari Ailus
2023-01-04 13:33 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox