From: Vikash Garodia <quic_vgarodia@quicinc.com>
To: Bryan O'Donoghue <bryan.odonoghue@linaro.org>,
Dikshita Agarwal <quic_dikshita@quicinc.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Stanimir Varbanov <stanimir.varbanov@linaro.org>,
Hans Verkuil <hans.verkuil@cisco.com>
Cc: <linux-media@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
Vedang Nagar <quic_vnagar@quicinc.com>
Subject: Re: [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory
Date: Thu, 15 May 2025 17:41:01 +0530 [thread overview]
Message-ID: <b663539d-5ad6-399b-1e7b-0b8b9daca10d@quicinc.com> (raw)
In-Reply-To: <b0c48989-4ce7-4338-b4bb-565ea8b6cd82@linaro.org>
On 5/15/2025 3:58 PM, Bryan O'Donoghue wrote:
> On 15/05/2025 10:56, Vikash Garodia wrote:
>> memcpy(hfi_dev->pkt_buf, rd_ptr from shared queue, dwords..)
>>
>> pkt_hdr = (struct hfi_pkt_hdr *) (hfi_dev->pkt_buf);
>>
>> if ((pkt_hdr->size >> 2) != dwords)
>> return -EINVAL;
>
> Yeah it would be better wrt the commit log.
>
> But does it really give additional data-confidence - I don't believe it does.
>
> => The firmware can update the pkt header after our subsequent-to-memcpy() check.
How will that matter if the queue is updated after memcpy to local packet ? All
processing of data would be from local packet.
>
> Again this is a data-lifetime expectation question.
>
> You validate the received data against a maximum size reading to a buffer you
> know the size of - and do it once.
>
> The firmware might corrupt that data in-between but that is not catastrophic for
> the APSS which has a buffer of a known size containing potential bad data.
There is no way to authenticate the content of payload. We are trying to avoid
vulnerability by ensuring OOB does not happen by validating the size _alone_. Do
you see rest of the data in payload can lead to any kind of vulnerability ?
>
> Fine - and additional check after the mempcy() only imparts verisimilitude -
> only validates our data at the time of the check.
>
> my-linear-uninterrupted-context:
>
> memcpy();
>
> if(*rd_ptr >> 2 > len) <- doesn't branch
> return -EBAD
>
> if(*rd_ptr >> 2 > len) <- does branch firmware went nuts
> return -EBAD
>
> Superficially you might say this addresses the problem
>
> if (*rd_ptr > MAX)
> return -EBAD;
>
> memcpy();
>
> if (*rd_ptr > MAX)
> return -EBAD;
>
> But what if the "malicious" firmware only updated the data in the packet, not
> the length - or another field we are not checking ?
That does not cause any vulnerability. You can check and suggest if you see a
vulnerability when the data outside length is an issue w.r.t vulnerability.
>
> As I say if this can happen
>
>
> if (*rd_ptr > MAX)
> return -EBAD;
>
> memcpy();
>
> if (*rd_ptr > MAX) // good
> return -EBAD;
>
>
> if (*rd_ptr > MAX) //bad
> return -EBAD;
>
> then this can happen
>
> if (*rd_ptr > MAX)
> return -EBAD;
>
> memcpy();
>
> if (*rd_ptr > MAX) // good
> return -EBAD;
>
>
> if (*rd_ptr > MAX) //good
> return -EBAD;
>
> if (*rd_ptr > MAX) //bad
> return -EBAD;
>
> We need to have a crisp and clear definition of the data-lifetime. Since we
> don't have a checksum element in the header the only check that makes sense is
> to validate the buffer size
>
> data_len = *ptr_val >> 2;
> if (data_len > max)
> return BAD;
>
> Using the data_len in memcpy if the *ptr_val can change is _NOT_ TOCTOU
>
> This is TOCTOU
>
> if (*ptr_val > max)
> return EBAD;
>
> memcpy(dst, src, *ptr_val);
>
> Because I validated the content of the pointer and then I relied on the data
> that pointer pointed to, which might have changed.
Yes, precisely for that, memcpy() does not rely on ptr_val. The one you are
referring as data_len is same as dword.
Regards,
Vikash
>
> TBH I think the entire premise of this patch is bogus.
>
> ---
> bod
next prev parent reply other threads:[~2025-05-15 12:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 13:38 [PATCH v3 0/2] venus driver fixes for vulnerabilities due to unexpected firmware payload Dikshita Agarwal
2025-05-14 13:38 ` [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory Dikshita Agarwal
2025-05-15 9:17 ` Bryan O'Donoghue
2025-05-15 9:56 ` Vikash Garodia
2025-05-15 10:28 ` Bryan O'Donoghue
2025-05-15 12:11 ` Vikash Garodia [this message]
2025-05-15 12:47 ` Bryan O'Donoghue
2025-05-15 13:23 ` Vikash Garodia
2025-05-15 17:51 ` Bryan O'Donoghue
2025-05-15 18:25 ` Vikash Garodia
2025-05-16 10:11 ` Bryan O'Donoghue
2025-05-14 13:38 ` [PATCH v3 2/2] media: venus: Fix OOB read due to missing payload bound check Dikshita Agarwal
2025-05-17 21:41 ` Bryan O'Donoghue
2025-05-18 3:56 ` Vikash Garodia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b663539d-5ad6-399b-1e7b-0b8b9daca10d@quicinc.com \
--to=quic_vgarodia@quicinc.com \
--cc=bryan.odonoghue@linaro.org \
--cc=hans.verkuil@cisco.com \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=quic_dikshita@quicinc.com \
--cc=quic_vnagar@quicinc.com \
--cc=stanimir.varbanov@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).