Re: [PATCH 2/4] venus: hfi: fix the check to handle session buffer requirement

[Nathan Hebert <nhebert@xxxxxxxxxxxx>]

On Wed, Jul 26, 2023 at 9:35 PM Vikash Garodia
<quic_vgarodia@xxxxxxxxxxx> wrote:
>
> Buffer requirement, for different buffer type, comes from video firmware.
> While copying these requirements, there is an OOB possibility when the
> payload from firmware is more than expected size. Fix the check to avoid
> the OOB possibility.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
> Signed-off-by: Vikash Garodia <quic_vgarodia@xxxxxxxxxxx>
> ---
>  drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c
> index 3d5dadf..3e85bd8 100644
> --- a/drivers/media/platform/qcom/venus/hfi_msgs.c
> +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
> @@ -398,7 +398,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt,
>                 memcpy(&bufreq[idx], buf_req, sizeof(*bufreq));
>                 idx++;
>
> -               if (idx > HFI_BUFFER_TYPE_MAX)
> +               if (idx >= HFI_BUFFER_TYPE_MAX)
>                         return HFI_ERR_SESSION_INVALID_PARAMETER;
>
>                 req_bytes -= sizeof(struct hfi_buffer_requirements);
> --
> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
> a Linux Foundation Collaborative Project
>
The fix makes sense to me.
Reviewed-by: Nathan Hebert <nhebert@xxxxxxxxxxxx>

Best regards,
Nathan Hebert