On Mon May 19 12:42:21 2025 +0530, Vedang Nagar wrote: > Add a check to ensure that the packet size does not exceed the number of > available words after reading the packet header from shared memory. This > ensures that the size provided by the firmware is safe to process and > prevent potential out-of-bounds memory access. > > Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") > Cc: sta...@vger.kernel.org > Signed-off-by: Vedang Nagar <quic_vna...@quicinc.com> > Co-developed-by: Dikshita Agarwal <quic_diksh...@quicinc.com> > Signed-off-by: Dikshita Agarwal <quic_diksh...@quicinc.com> > Reviewed-by: Bryan O'Donoghue <bryan.odonog...@linaro.org> > Signed-off-by: Bryan O'Donoghue <b...@kernel.org> > Signed-off-by: Hans Verkuil <hverk...@xs4all.nl>
Patch committed. Thanks, Hans Verkuil drivers/media/platform/qcom/venus/hfi_venus.c | 4 ++++ 1 file changed, 4 insertions(+) --- diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c index b5f2ea879950..c982f4527bb0 100644 --- a/drivers/media/platform/qcom/venus/hfi_venus.c +++ b/drivers/media/platform/qcom/venus/hfi_venus.c @@ -239,6 +239,7 @@ static int venus_write_queue(struct venus_hfi_device *hdev, static int venus_read_queue(struct venus_hfi_device *hdev, struct iface_queue *queue, void *pkt, u32 *tx_req) { + struct hfi_pkt_hdr *pkt_hdr = NULL; struct hfi_queue_header *qhdr; u32 dwords, new_rd_idx; u32 rd_idx, wr_idx, type, qsize; @@ -304,6 +305,9 @@ static int venus_read_queue(struct venus_hfi_device *hdev, memcpy(pkt, rd_ptr, len); memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2); } + pkt_hdr = (struct hfi_pkt_hdr *)(pkt); + if ((pkt_hdr->size >> 2) != dwords) + return -EINVAL; } else { /* bad packet received, dropping */ new_rd_idx = qhdr->write_idx;