* [PATCH 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths
@ 2026-06-26 16:40 Doruk Tan Ozturk
2026-06-26 16:40 ` [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS Doruk Tan Ozturk
2026-06-26 16:40 ` [PATCH 2/2] media: atomisp: bound DVS 6-axis table dimensions to the allocated config Doruk Tan Ozturk
0 siblings, 2 replies; 4+ messages in thread
From: Doruk Tan Ozturk @ 2026-06-26 16:40 UTC (permalink / raw)
To: Hans de Goede, Andy Shevchenko, Mauro Carvalho Chehab,
Greg Kroah-Hartman
Cc: Sakari Ailus, linux-media, linux-staging, linux-kernel,
Doruk Tan Ozturk
Two ioctls in the AtomISP staging driver size a kernel buffer from one
user-supplied field but use a *different* user-supplied field as the
copy/store length, with no cross-check, allowing a kernel heap/ISP-memory
out-of-bounds write:
1) atomisp_v4l2_framebuffer_to_css_frame(): frame allocated from
width/height/format, but hmm_store() uses arg->fmt.sizeimage.
2) atomisp_cp_dvs_6axis_config(): DVS 6-axis table allocated from the
stream grid, but copy_from_compatible() uses the user width/height
(both ISP2401 and ISP2400 paths).
Both add a bound check before the copy. Found by 0sec's autonomous
vulnerability analysis (https://0sec.ai); identified by static analysis,
not yet runtime-reproduced (Intel Atom ISP hardware required).
Doruk Tan Ozturk (2):
media: atomisp: validate sizeimage against the allocated frame in
framebuffer-to-CSS
media: atomisp: bound DVS 6-axis table dimensions to the allocated
config
.../staging/media/atomisp/pci/atomisp_cmd.c | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
--
2.43.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS
2026-06-26 16:40 [PATCH 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths Doruk Tan Ozturk
@ 2026-06-26 16:40 ` Doruk Tan Ozturk
2026-06-26 17:12 ` Dan Carpenter
2026-06-26 16:40 ` [PATCH 2/2] media: atomisp: bound DVS 6-axis table dimensions to the allocated config Doruk Tan Ozturk
1 sibling, 1 reply; 4+ messages in thread
From: Doruk Tan Ozturk @ 2026-06-26 16:40 UTC (permalink / raw)
To: Hans de Goede, Andy Shevchenko, Mauro Carvalho Chehab,
Greg Kroah-Hartman
Cc: Sakari Ailus, linux-media, linux-staging, linux-kernel,
Doruk Tan Ozturk
atomisp_v4l2_framebuffer_to_css_frame() allocates the CSS frame
(res->data) from arg->fmt.{width,height,format} but then
hmm_store()s arg->fmt.sizeimage bytes into it. sizeimage is an
independent user-controlled v4l2_pix_format field with no cross-check, so
a sizeimage larger than the allocated frame overflows res->data (ISP/hmm
memory). Reject sizeimage > res->data_bytes before the store.
Found by static analysis; not yet runtime-reproduced (Intel Atom ISP
hardware required).
Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
drivers/staging/media/atomisp/pci/atomisp_cmd.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
index 6cd500d9f..966b84402 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
@@ -3331,6 +3331,16 @@ atomisp_v4l2_framebuffer_to_css_frame(const struct v4l2_framebuffer *arg,
goto err;
}
+ /*
+ * sizeimage is a separate user-controlled v4l2_pix_format field; the
+ * frame above was sized from width/height/format. Reject a sizeimage
+ * that would overflow the allocated frame in the hmm_store() below.
+ */
+ if (arg->fmt.sizeimage > res->data_bytes) {
+ ret = -EINVAL;
+ goto err;
+ }
+
tmp_buf = vmalloc(arg->fmt.sizeimage);
if (!tmp_buf) {
ret = -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] media: atomisp: bound DVS 6-axis table dimensions to the allocated config
2026-06-26 16:40 [PATCH 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths Doruk Tan Ozturk
2026-06-26 16:40 ` [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS Doruk Tan Ozturk
@ 2026-06-26 16:40 ` Doruk Tan Ozturk
1 sibling, 0 replies; 4+ messages in thread
From: Doruk Tan Ozturk @ 2026-06-26 16:40 UTC (permalink / raw)
To: Hans de Goede, Andy Shevchenko, Mauro Carvalho Chehab,
Greg Kroah-Hartman
Cc: Sakari Ailus, linux-media, linux-staging, linux-kernel,
Doruk Tan Ozturk
atomisp_cp_dvs_6axis_config() copies the DVS 6-axis coordinate tables with
the user-supplied width/height (t_6axis_config / source_6axis_config) as
the copy_from_compatible() length, while the destination is allocated by
ia_css_dvs2_6axis_config_allocate() from the stream grid dimensions. User
dimensions larger than the allocated grid overflow the xcoords/ycoords
buffers. Reject user dimensions that exceed the allocated config in both
the ISP2401 and ISP2400 paths before the copies.
Found by static analysis; not yet runtime-reproduced (Intel Atom ISP
hardware required).
Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
drivers/staging/media/atomisp/pci/atomisp_cmd.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
index 966b84402..b04d3f3ca 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
@@ -2632,6 +2632,14 @@ int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd,
dvs_6axis_config->exp_id = t_6axis_config.exp_id;
+ if (t_6axis_config.width_y > dvs_6axis_config->width_y ||
+ t_6axis_config.height_y > dvs_6axis_config->height_y ||
+ t_6axis_config.width_uv > dvs_6axis_config->width_uv ||
+ t_6axis_config.height_uv > dvs_6axis_config->height_uv) {
+ ret = -EINVAL;
+ goto error;
+ }
+
if (copy_from_compatible(dvs_6axis_config->xcoords_y,
t_6axis_config.xcoords_y,
t_6axis_config.width_y *
@@ -2684,6 +2692,14 @@ int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd,
dvs_6axis_config->exp_id = source_6axis_config->exp_id;
+ if (source_6axis_config->width_y > dvs_6axis_config->width_y ||
+ source_6axis_config->height_y > dvs_6axis_config->height_y ||
+ source_6axis_config->width_uv > dvs_6axis_config->width_uv ||
+ source_6axis_config->height_uv > dvs_6axis_config->height_uv) {
+ ret = -EINVAL;
+ goto error;
+ }
+
if (copy_from_compatible(dvs_6axis_config->xcoords_y,
source_6axis_config->xcoords_y,
source_6axis_config->width_y *
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS
2026-06-26 16:40 ` [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS Doruk Tan Ozturk
@ 2026-06-26 17:12 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2026-06-26 17:12 UTC (permalink / raw)
To: Doruk Tan Ozturk
Cc: Hans de Goede, Andy Shevchenko, Mauro Carvalho Chehab,
Greg Kroah-Hartman, Sakari Ailus, linux-media, linux-staging,
linux-kernel
On Fri, Jun 26, 2026 at 06:40:41PM +0200, Doruk Tan Ozturk wrote:
> atomisp_v4l2_framebuffer_to_css_frame() allocates the CSS frame
> (res->data) from arg->fmt.{width,height,format} but then
> hmm_store()s arg->fmt.sizeimage bytes into it. sizeimage is an
> independent user-controlled v4l2_pix_format field with no cross-check, so
> a sizeimage larger than the allocated frame overflows res->data (ISP/hmm
> memory). Reject sizeimage > res->data_bytes before the store.
>
> Found by static analysis; not yet runtime-reproduced (Intel Atom ISP
> hardware required).
>
> Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
>
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
We need a Fixes tag for all three of these patches.
> ---
> drivers/staging/media/atomisp/pci/atomisp_cmd.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> index 6cd500d9f..966b84402 100644
> --- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> +++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> @@ -3331,6 +3331,16 @@ atomisp_v4l2_framebuffer_to_css_frame(const struct v4l2_framebuffer *arg,
> goto err;
> }
>
> + /*
> + * sizeimage is a separate user-controlled v4l2_pix_format field; the
> + * frame above was sized from width/height/format. Reject a sizeimage
> + * that would overflow the allocated frame in the hmm_store() below.
> + */
> + if (arg->fmt.sizeimage > res->data_bytes) {
> + ret = -EINVAL;
> + goto err;
> + }
The math to calculate the size from width/height in
frame_init_raw_single_plane() and similar functions looks like it
has integer overflow bugs as well.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-26 17:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26 16:40 [PATCH 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths Doruk Tan Ozturk
2026-06-26 16:40 ` [PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS Doruk Tan Ozturk
2026-06-26 17:12 ` Dan Carpenter
2026-06-26 16:40 ` [PATCH 2/2] media: atomisp: bound DVS 6-axis table dimensions to the allocated config Doruk Tan Ozturk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox