media: venus: hfi: add check to handle incorrect queue size
qsize represents size of shared queued between driver and video
firmware. Firmware can modify this value to an invalid large value. In
such situation, empty_space will be bigger than the space actually
available. Since new_wr_idx is not checked, so the following code will
result in an OOB write.
...
qsize = qhdr->q_size
if (wr_idx >= rd_idx)
empty_space = qsize - (wr_idx - rd_idx)
....
if (new_wr_idx < qsize) {
memcpy(wr_ptr, packet, dwords << 2) --> OOB write
Add check to ensure qsize is within the allocated size while
reading and writing packets into the queue.
Cc: stable@vger.kernel.org
Fixes: d96d3f30 ("[media] media: venus: hfi: add Venus HFI files")
Reviewed-by: 
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: 
Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: 
Hans Verkuil <hverkuil@xs4all.nl>
Loading
-
mentioned in commit 3f70bf50
-
mentioned in commit 4d1b2c8f
-
mentioned in commit f482c7f3
-
mentioned in commit 0d53a5e3
-
mentioned in commit 10dc2ee8
-
mentioned in commit 834e4945
-
mentioned in commit d9616a19
-
mentioned in commit b09121ee
-
mentioned in commit f966b6b3
-
mentioned in commit 8debf574
-
mentioned in commit d4218071
-
mentioned in commit b37bc082
-
mentioned in commit e29b04de
-
mentioned in commit 3ad00184
-
mentioned in commit 7ae3094a
-
mentioned in commit 95bfacb9
-
mentioned in commit f30257a9
-
mentioned in commit ac7e98ab
-
mentioned in commit 29b76b8c
Please sign in to comment