mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-30 14:19:16 +00:00
media: venus: hfi: add checks to perform sanity on queue pointers
commit5e538fce33
upstream. Read and write pointers are used to track the packet index in the memory shared between video driver and firmware. There is a possibility of OOB access if the read or write pointer goes beyond the queue memory size. Add checks for the read and write pointer to avoid OOB access. Cc: stable@vger.kernel.org Fixes:d96d3f30c0
("[media] media: venus: hfi: add Venus HFI files") Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
8263db0c64
commit
1b12b83331
1 changed files with 10 additions and 0 deletions
|
@ -220,6 +220,11 @@ static int venus_write_queue(struct venus_hfi_device *hdev,
|
||||||
|
|
||||||
new_wr_idx = wr_idx + dwords;
|
new_wr_idx = wr_idx + dwords;
|
||||||
wr_ptr = (u32 *)(queue->qmem.kva + (wr_idx << 2));
|
wr_ptr = (u32 *)(queue->qmem.kva + (wr_idx << 2));
|
||||||
|
|
||||||
|
if (wr_ptr < (u32 *)queue->qmem.kva ||
|
||||||
|
wr_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size - sizeof(*wr_ptr)))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
if (new_wr_idx < qsize) {
|
if (new_wr_idx < qsize) {
|
||||||
memcpy(wr_ptr, packet, dwords << 2);
|
memcpy(wr_ptr, packet, dwords << 2);
|
||||||
} else {
|
} else {
|
||||||
|
@ -287,6 +292,11 @@ static int venus_read_queue(struct venus_hfi_device *hdev,
|
||||||
}
|
}
|
||||||
|
|
||||||
rd_ptr = (u32 *)(queue->qmem.kva + (rd_idx << 2));
|
rd_ptr = (u32 *)(queue->qmem.kva + (rd_idx << 2));
|
||||||
|
|
||||||
|
if (rd_ptr < (u32 *)queue->qmem.kva ||
|
||||||
|
rd_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size - sizeof(*rd_ptr)))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
dwords = *rd_ptr >> 2;
|
dwords = *rd_ptr >> 2;
|
||||||
if (!dwords)
|
if (!dwords)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
Loading…
Reference in a new issue