This is a note to let you know that I've just added the patch titled media: venus: hfi: fix the check to handle session buffer requirement to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From b18e36dfd6c935da60a971310374f3dfec3c82e1 Mon Sep 17 00:00:00 2001 From: Vikash Garodia <quic_vgarodia@xxxxxxxxxxx> Date: Thu, 10 Aug 2023 07:55:02 +0530 Subject: media: venus: hfi: fix the check to handle session buffer requirement From: Vikash Garodia <quic_vgarodia@xxxxxxxxxxx> commit b18e36dfd6c935da60a971310374f3dfec3c82e1 upstream. Buffer requirement, for different buffer type, comes from video firmware. While copying these requirements, there is an OOB possibility when the payload from firmware is more than expected size. Fix the check to avoid the OOB possibility. Cc: stable@xxxxxxxxxxxxxxx Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Reviewed-by: Nathan Hebert <nhebert@xxxxxxxxxxxx> Signed-off-by: Vikash Garodia <quic_vgarodia@xxxxxxxxxxx> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@xxxxxxxxx> Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -412,7 +412,7 @@ session_get_prop_buf_req(struct hfi_msg_ memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); idx++; - if (idx > HFI_BUFFER_TYPE_MAX) + if (idx >= HFI_BUFFER_TYPE_MAX) return HFI_ERR_SESSION_INVALID_PARAMETER; req_bytes -= sizeof(struct hfi_buffer_requirements); Patches currently in stable-queue which might be from quic_vgarodia@xxxxxxxxxxx are queue-4.14/media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch queue-4.14/media-venus-hfi-add-checks-to-perform-sanity-on-queue-pointers.patch