Re: [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
To: Vikash Garodia <quic_vgarodia@quicinc.com>,
	Dikshita Agarwal <quic_dikshita@quicinc.com>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Stanimir Varbanov <stanimir.varbanov@linaro.org>,
	Hans Verkuil <hans.verkuil@cisco.com>
Cc: linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Vedang Nagar <quic_vnagar@quicinc.com>
Subject: Re: [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory
Date: Thu, 15 May 2025 11:28:10 +0100	[thread overview]
Message-ID: <b0c48989-4ce7-4338-b4bb-565ea8b6cd82@linaro.org> (raw)
In-Reply-To: <0c50c24a-35fa-acfb-a807-b4ed5394506b@quicinc.com>

On 15/05/2025 10:56, Vikash Garodia wrote:
> memcpy(hfi_dev->pkt_buf, rd_ptr from shared queue, dwords..)
> 
> pkt_hdr = (struct hfi_pkt_hdr *) (hfi_dev->pkt_buf);
> 
> if ((pkt_hdr->size >> 2) != dwords)
>      return -EINVAL;

Yeah it would be better wrt the commit log.

But does it really give additional data-confidence - I don't believe it 
does.

=> The firmware can update the pkt header after our 
subsequent-to-memcpy() check.

Again this is a data-lifetime expectation question.

You validate the received data against a maximum size reading to a 
buffer you know the size of - and do it once.

The firmware might corrupt that data in-between but that is not 
catastrophic for the APSS which has a buffer of a known size containing 
potential bad data.

Fine - and additional check after the mempcy() only imparts 
verisimilitude - only validates our data at the time of the check.

my-linear-uninterrupted-context:

memcpy();

if(*rd_ptr >> 2 > len) <- doesn't branch
     return -EBAD

if(*rd_ptr >> 2 > len) <- does branch firmware went nuts
     return -EBAD

Superficially you might say this addresses the problem

if (*rd_ptr > MAX)
     return -EBAD;

memcpy();

if (*rd_ptr > MAX)
     return -EBAD;

But what if the "malicious" firmware only updated the data in the 
packet, not the length - or another field we are not checking ?

As I say if this can happen

if (*rd_ptr > MAX)
     return -EBAD;

memcpy();

if (*rd_ptr > MAX)  // good
     return -EBAD;

if (*rd_ptr > MAX) //bad
     return -EBAD;

then this can happen

if (*rd_ptr > MAX)
     return -EBAD;

memcpy();

if (*rd_ptr > MAX) // good
     return -EBAD;

if (*rd_ptr > MAX) //good
     return -EBAD;

if (*rd_ptr > MAX) //bad
     return -EBAD;

We need to have a crisp and clear definition of the data-lifetime. Since 
we don't have a checksum element in the header the only check that makes 
sense is to validate the buffer size

data_len = *ptr_val >> 2;
if (data_len > max)
     return BAD;

Using the data_len in memcpy if the *ptr_val can change is _NOT_ TOCTOU

This is TOCTOU

if (*ptr_val > max)
     return EBAD;

memcpy(dst, src, *ptr_val);

Because I validated the content of the pointer and then I relied on the 
data that pointer pointed to, which might have changed.

TBH I think the entire premise of this patch is bogus.

---
bod

next prev parent reply	other threads:[~2025-05-15 10:28 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-14 13:38 [PATCH v3 0/2] venus driver fixes for vulnerabilities due to unexpected firmware payload Dikshita Agarwal
2025-05-14 13:38 ` [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory Dikshita Agarwal
2025-05-15  9:17   ` Bryan O'Donoghue
2025-05-15  9:56     ` Vikash Garodia
2025-05-15 10:28       ` Bryan O'Donoghue [this message]
2025-05-15 12:11         ` Vikash Garodia
2025-05-15 12:47           ` Bryan O'Donoghue
2025-05-15 13:23             ` Vikash Garodia
2025-05-15 17:51               ` Bryan O'Donoghue
2025-05-15 18:25                 ` Vikash Garodia
2025-05-16 10:11                   ` Bryan O'Donoghue
2025-05-14 13:38 ` [PATCH v3 2/2] media: venus: Fix OOB read due to missing payload bound check Dikshita Agarwal
2025-05-17 21:41   ` Bryan O'Donoghue
2025-05-18  3:56   ` Vikash Garodia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b0c48989-4ce7-4338-b4bb-565ea8b6cd82@linaro.org \
    --to=bryan.odonoghue@linaro.org \
    --cc=hans.verkuil@cisco.com \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=quic_dikshita@quicinc.com \
    --cc=quic_vgarodia@quicinc.com \
    --cc=quic_vnagar@quicinc.com \
    --cc=stanimir.varbanov@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).