Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp131569pxf; Wed, 10 Mar 2021 02:18:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJy3PADdk3+46GTbuQznn2e33LF2aiiVaC08HTxvC5F5gxeASlPf7Got4zcWfrCh/+4C8W8s X-Received: by 2002:a05:6402:50ce:: with SMTP id h14mr2391461edb.279.1615371488968; Wed, 10 Mar 2021 02:18:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615371488; cv=none; d=google.com; s=arc-20160816; b=oMHIdfwt5mR0rssz+uU7eqGAivitn1kn9wiC5hDr3cHWCfbkeZ0hshHmcgyzhkN1y5 PcBRq62JBZgwMzKRKKYJPg6e7h14DJTbMUeSBRxIwoDTBDLM0L8zIBsG08nLZxcDhTln YdxjwUSNVumOIXHztT7VXcXYcTr/sm9Z1bRv2pchBotuM5f8fNrDGG2AxbAyMfT3tgZY H2BIbUEtCUEdnPpreEHIOf22o4Ytad8QrHujqIIrywY0flECIjWuHz3ZPPcWdoONy60a EXOd9GnYeOa8njjK3s0jkhhSYpFehlzEG5mR7T9FJqwkvYnI5wwnePktaU8OquZ2939p f15Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=YnjTlCzPSM64YPwZtIYFy5lAVDG5f9v4P0vMMvdQJ4g=; b=fc+/8o33TJ6klSAUotSNNg49FzLto7XRvxg5pfy3wp0V9LTLU2CEMVqnIJh3nLp05l eiAw44j3BVPF+s2/o/PFllXgszaJJyKYxYTsdZLtDQ1yLRQ/Kt7KY+paHnSOTEkepgyH z/Oj+Z/ybFQ8DBeLwV31HfBFgExuQ+yOeCRleVOdkDwU0Lms9NWMO6RCoVgDHkQfOnyh r3BFJhUIvI/fGP/JA9dGNXHbF1pryiGMil/2FpVFnlOzbn7VSaQ5CiwXupVtm/Bo7PSv zzjQw7WoXFI8ZXlyiTrEMz6jsxIkhQ6Ej/ftcID4dGT46YAvFht75DhyN2L60WaAXs/A ZMtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=d0SaJGU+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w15si12313362ejb.202.2021.03.10.02.17.46; Wed, 10 Mar 2021 02:18:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=d0SaJGU+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229747AbhCJKQn (ORCPT + 99 others); Wed, 10 Mar 2021 05:16:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33146 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231161AbhCJKQn (ORCPT ); Wed, 10 Mar 2021 05:16:43 -0500 Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C7447C061760 for ; Wed, 10 Mar 2021 02:16:42 -0800 (PST) Received: by mail-il1-x133.google.com with SMTP id i18so14993473ilq.13 for ; Wed, 10 Mar 2021 02:16:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YnjTlCzPSM64YPwZtIYFy5lAVDG5f9v4P0vMMvdQJ4g=; b=d0SaJGU+8Urml23wTMTDfhpGRRTwD+zpckGUZVMl+sVOy1WZYmEJ452QYDEt+HEMPH IgYQZsfm5TUykrsjmeIEmLfHZGFzcwLIgOiDgolB3dDU+UugpwZSaiyTCDiqkBCrQWWh l7f5WKbbFlEUefe7S8uASrebDK0rSAdB2PHd0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YnjTlCzPSM64YPwZtIYFy5lAVDG5f9v4P0vMMvdQJ4g=; b=NVPCbCfCnepj23g+qggVggwEe95F8yEUfIhOYTVA4DRcmLo3fsnzyE+KNsDDabWfsv kl4qnMMrUqRON3TG3zsLhfoISY+xTHjeInfUMsEfugk2oO0rAUWzlrqyRqycKdCGcak+ +O05l8ykYf36FXkQxO1IrBxLQV3NRg45MViOUboI2ohzt4V4hvxN89GWx8i2gOBpwzJJ FoxNYDOgO0fr/Rc+Mww9nW8py3oToFtV1Pt1TrM4YXbHwLtIjsCNscOzEdgdVscKk5vO SNcFhE//bnD/vRs0o7/jWLSxk0pdrHZK4y3q2MUFwHGsEr245KquBOFMKCHAqwYaqviA 73Hw== X-Gm-Message-State: AOAM532XchAP4y8z43+3d4JNelYL7FsBYQWNuYUBIGsIXtX6UzjQdze/ Uq6COikEC8q/DMwtW7HSNEK2+jmZ1F14t3/q X-Received: by 2002:a92:50c:: with SMTP id q12mr1996907ile.59.1615371402033; Wed, 10 Mar 2021 02:16:42 -0800 (PST) Received: from mail-il1-f169.google.com (mail-il1-f169.google.com. [209.85.166.169]) by smtp.gmail.com with ESMTPSA id x17sm9155574ilm.40.2021.03.10.02.16.41 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Mar 2021 02:16:41 -0800 (PST) Received: by mail-il1-f169.google.com with SMTP id g9so15039279ilc.3 for ; Wed, 10 Mar 2021 02:16:41 -0800 (PST) X-Received: by 2002:a05:6e02:194e:: with SMTP id x14mr2059514ilu.218.1615371400880; Wed, 10 Mar 2021 02:16:40 -0800 (PST) MIME-Version: 1.0 References: <20210309234317.1021588-1-ribalda@chromium.org> In-Reply-To: From: Ricardo Ribalda Date: Wed, 10 Mar 2021 11:16:30 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] media: videobuf2: Fix integer overrun in allocation To: Laurent Pinchart Cc: Tomasz Figa , Marek Szyprowski , Mauro Carvalho Chehab , Linux Media Mailing List , Linux Kernel Mailing List , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Laurent On Wed, Mar 10, 2021 at 9:12 AM Laurent Pinchart wrote: > > Hi Ricardo, > > On Wed, Mar 10, 2021 at 08:58:39AM +0100, Ricardo Ribalda wrote: > > On Wed, Mar 10, 2021 at 8:49 AM Laurent Pinchart wrote: > > > On Wed, Mar 10, 2021 at 12:43:17AM +0100, Ricardo Ribalda wrote: > > > > The plane_length is an unsigned integer. So, if we have a size of > > > > 0xffffffff bytes we incorrectly allocate 0 bytes instead of 1 << 32. > > > > > > > > Cc: stable@vger.kernel.org > > > > Fixes: 7f8414594e47 ("[media] media: videobuf2: fix the length check for mmap") > > > > Signed-off-by: Ricardo Ribalda > > > > --- > > > > drivers/media/common/videobuf2/videobuf2-core.c | 4 +++- > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c > > > > index 02281d13505f..543da515c761 100644 > > > > --- a/drivers/media/common/videobuf2/videobuf2-core.c > > > > +++ b/drivers/media/common/videobuf2/videobuf2-core.c > > > > @@ -223,8 +223,10 @@ static int __vb2_buf_mem_alloc(struct vb2_buffer *vb) > > > > * NOTE: mmapped areas should be page aligned > > > > */ > > > > for (plane = 0; plane < vb->num_planes; ++plane) { > > > > + unsigned long size = vb->planes[plane].length; > > > > > > unsigned long is still 32-bit on 32-bit platforms. > > > > > > > + > > > > /* Memops alloc requires size to be page aligned. */ > > > > - unsigned long size = PAGE_ALIGN(vb->planes[plane].length); > > > > + size = PAGE_ALIGN(size); > > > > > > > > /* Did it wrap around? */ > > > > if (size < vb->planes[plane].length) > > > > > > Doesn't this address the issue already ? > > > > Yes and no. If you need to allocate 0xffffffff you are still affected > > by the underrun. The core will return an error instead of doing the > > allocation. > > > > (yes, I know it is a lot of memory for a buffer) > > That's my point, I don't think there's a need for this :-) Especially > with v4l2_buffer.m.offset being a __u32, we are limited to 4GB for *all* > buffers. I guess I will convert this patch into a documentation patch, so we explicitly know the limit of the API (1<<32 - PAGE_SIZE). Thanks! > > -- > Regards, > > Laurent Pinchart -- Ricardo Ribalda