From: Vikash Garodia <quic_vgarodia@quicinc.com>
To: Bryan O'Donoghue <bryan.odonoghue@linaro.org>,
Dikshita Agarwal <quic_dikshita@quicinc.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Stanimir Varbanov <stanimir.varbanov@linaro.org>,
Hans Verkuil <hans.verkuil@cisco.com>
Cc: <linux-media@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
Vedang Nagar <quic_vnagar@quicinc.com>
Subject: Re: [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory
Date: Thu, 15 May 2025 18:53:15 +0530 [thread overview]
Message-ID: <f7df808c-0724-3f4d-b910-6e44637c7aaf@quicinc.com> (raw)
In-Reply-To: <bd704149-694f-4d89-90d9-a22307488743@linaro.org>
On 5/15/2025 6:17 PM, Bryan O'Donoghue wrote:
> On 15/05/2025 13:11, Vikash Garodia wrote:
>>> But what if the "malicious" firmware only updated the data in the packet, not
>>> the length - or another field we are not checking ?
>> That does not cause any vulnerability. You can check and suggest if you see a
>> vulnerability when the data outside length is an issue w.r.t vulnerability.
>
> I don't believe you have identified a vulnerability here.
>
> You read a length field, you check that length field against a MAX size.
>
> Re-reading to see if the firmware wrote new bad data to the transmitted packet
> in-memory is not a fix before or after the memcpy() because the time you do that
> re-read is not fixed - locked wrt the freerunning firmware.
It would be more meaningful if you can suggest the vulnerability you see with
the changes suggested i.e adding the check in local packet against the size read
from shared queue. Based on that we can see how to fix it, otherwise this
discussion in not leading to any conclusion.
Regards,
Vikash
next prev parent reply other threads:[~2025-05-15 13:23 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 13:38 [PATCH v3 0/2] venus driver fixes for vulnerabilities due to unexpected firmware payload Dikshita Agarwal
2025-05-14 13:38 ` [PATCH v3 1/2] media: venus: fix TOCTOU vulnerability when reading packets from shared memory Dikshita Agarwal
2025-05-15 9:17 ` Bryan O'Donoghue
2025-05-15 9:56 ` Vikash Garodia
2025-05-15 10:28 ` Bryan O'Donoghue
2025-05-15 12:11 ` Vikash Garodia
2025-05-15 12:47 ` Bryan O'Donoghue
2025-05-15 13:23 ` Vikash Garodia [this message]
2025-05-15 17:51 ` Bryan O'Donoghue
2025-05-15 18:25 ` Vikash Garodia
2025-05-16 10:11 ` Bryan O'Donoghue
2025-05-14 13:38 ` [PATCH v3 2/2] media: venus: Fix OOB read due to missing payload bound check Dikshita Agarwal
2025-05-17 21:41 ` Bryan O'Donoghue
2025-05-18 3:56 ` Vikash Garodia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7df808c-0724-3f4d-b910-6e44637c7aaf@quicinc.com \
--to=quic_vgarodia@quicinc.com \
--cc=bryan.odonoghue@linaro.org \
--cc=hans.verkuil@cisco.com \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=quic_dikshita@quicinc.com \
--cc=quic_vnagar@quicinc.com \
--cc=stanimir.varbanov@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).