[PATCH v2 0/4] Venus driver fixes to avoid possible OOB accesses

Vikash Garodia <quic_vgarodia@xxxxxxxxxxx> · Thu, 10 Aug 2023 07:55:00 +0530

v1 -> v2:
- Address the comment to reduce size of queue pointer from queue size
- Consider the data size during memcpy to avoid OOB write
- Use hweight_long() to count the setbits representing the supported codecs

v1: https://lore.kernel.org/all/1690432469-14803-1-git-send-email-quic_vgarodia@xxxxxxxxxxx/

This series primarily adds check at relevant places in venus driver where there are possible OOB
accesses due to unexpected payload from venus firmware. The patches describes the specific OOB
possibility.

Please review and share your feedback.

Vikash Garodia (4):
  venus: hfi: add checks to perform sanity on queue pointers
  venus: hfi: fix the check to handle session buffer requirement
  venus: hfi: add checks to handle capabilities from firmware
  venus: hfi_parser: Add check to keep the number of codecs within range

 drivers/media/platform/qcom/venus/hfi_msgs.c   |  2 +-
 drivers/media/platform/qcom/venus/hfi_parser.c | 15 +++++++++++++++
 drivers/media/platform/qcom/venus/hfi_venus.c  | 10 ++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)

-- 
2.7.4