On Mon May 19 12:42:21 2025 +0530, Vedang Nagar wrote:
> Add a check to ensure that the packet size does not exceed the number of
> available words after reading the packet header from shared memory. This
> ensures that the size provided by the firmware is safe to process and
> prevent potential out-of-bounds memory access.
>
> Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
> Cc: sta...@vger.kernel.org
> Signed-off-by: Vedang Nagar <quic_vna...@quicinc.com>
> Co-developed-by: Dikshita Agarwal <quic_diksh...@quicinc.com>
> Signed-off-by: Dikshita Agarwal <quic_diksh...@quicinc.com>
> Reviewed-by: Bryan O'Donoghue <bryan.odonog...@linaro.org>
> Signed-off-by: Bryan O'Donoghue <b...@kernel.org>
> Signed-off-by: Hans Verkuil <hverk...@xs4all.nl>
Patch committed.
Thanks,
Hans Verkuil
drivers/media/platform/qcom/venus/hfi_venus.c | 4 ++++
1 file changed, 4 insertions(+)
---
diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c
b/drivers/media/platform/qcom/venus/hfi_venus.c
index b5f2ea879950..c982f4527bb0 100644
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -239,6 +239,7 @@ static int venus_write_queue(struct venus_hfi_device *hdev,
static int venus_read_queue(struct venus_hfi_device *hdev,
struct iface_queue *queue, void *pkt, u32 *tx_req)
{
+ struct hfi_pkt_hdr *pkt_hdr = NULL;
struct hfi_queue_header *qhdr;
u32 dwords, new_rd_idx;
u32 rd_idx, wr_idx, type, qsize;
@@ -304,6 +305,9 @@ static int venus_read_queue(struct venus_hfi_device *hdev,
memcpy(pkt, rd_ptr, len);
memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2);
}
+ pkt_hdr = (struct hfi_pkt_hdr *)(pkt);
+ if ((pkt_hdr->size >> 2) != dwords)
+ return -EINVAL;
} else {
/* bad packet received, dropping */
new_rd_idx = qhdr->write_idx;
