Commit 5e538fce authored by Vikash Garodia's avatar Vikash Garodia Committed by Hans Verkuil
Browse files

media: venus: hfi: add checks to perform sanity on queue pointers 



Read and write pointers are used to track the packet index in the memory
shared between video driver and firmware. There is a possibility of OOB
access if the read or write pointer goes beyond the queue memory size.
Add checks for the read and write pointer to avoid OOB access.

Cc: stable@vger.kernel.org
Fixes: d96d3f30 ("[media] media: venus: hfi: add Venus HFI files")
Signed-off-by: default avatarVikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: default avatarStanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
parent 48016737

drivers/media/platform/qcom/venus/hfi_venus.c

+10 −0
Original line number Diff line number Diff line
@@ -205,6 +205,11 @@ static int venus_write_queue(struct venus_hfi_device *hdev, 


	new_wr_idx = wr_idx + dwords;

	wr_ptr = (u32 *)(queue->qmem.kva + (wr_idx << 2));



	if (wr_ptr < (u32 *)queue->qmem.kva ||

	    wr_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size - sizeof(*wr_ptr)))

		return -EINVAL;



	if (new_wr_idx < qsize) {

		memcpy(wr_ptr, packet, dwords << 2);

	} else {
@@ -272,6 +277,11 @@ static int venus_read_queue(struct venus_hfi_device *hdev, 
	}



	rd_ptr = (u32 *)(queue->qmem.kva + (rd_idx << 2));



	if (rd_ptr < (u32 *)queue->qmem.kva ||

	    rd_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size - sizeof(*rd_ptr)))

		return -EINVAL;



	dwords = *rd_ptr >> 2;

	if (!dwords)

		return -EINVAL;