On Mon May 19 12:42:21 2025 +0530, Vedang Nagar wrote:
> Add a check to ensure that the packet size does not exceed the number of
> available words after reading the packet header from shared memory. This
> ensures that the size provided by the firmware is safe to process and
> prevent potential out-of-bounds memory access.
> 
> Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
> Cc: sta...@vger.kernel.org
> Signed-off-by: Vedang Nagar <quic_vna...@quicinc.com>
> Co-developed-by: Dikshita Agarwal <quic_diksh...@quicinc.com>
> Signed-off-by: Dikshita Agarwal <quic_diksh...@quicinc.com>
> Reviewed-by: Bryan O'Donoghue <bryan.odonog...@linaro.org>
> Signed-off-by: Bryan O'Donoghue <b...@kernel.org>
> Signed-off-by: Hans Verkuil <hverk...@xs4all.nl>

Patch committed.

Thanks,
Hans Verkuil

 drivers/media/platform/qcom/venus/hfi_venus.c | 4 ++++
 1 file changed, 4 insertions(+)

---

diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c 
b/drivers/media/platform/qcom/venus/hfi_venus.c
index b5f2ea879950..c982f4527bb0 100644
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -239,6 +239,7 @@ static int venus_write_queue(struct venus_hfi_device *hdev,
 static int venus_read_queue(struct venus_hfi_device *hdev,
                            struct iface_queue *queue, void *pkt, u32 *tx_req)
 {
+       struct hfi_pkt_hdr *pkt_hdr = NULL;
        struct hfi_queue_header *qhdr;
        u32 dwords, new_rd_idx;
        u32 rd_idx, wr_idx, type, qsize;
@@ -304,6 +305,9 @@ static int venus_read_queue(struct venus_hfi_device *hdev,
                        memcpy(pkt, rd_ptr, len);
                        memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2);
                }
+               pkt_hdr = (struct hfi_pkt_hdr *)(pkt);
+               if ((pkt_hdr->size >> 2) != dwords)
+                       return -EINVAL;
        } else {
                /* bad packet received, dropping */
                new_rd_idx = qhdr->write_idx;

Reply via email to