Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp17661402rwd; Tue, 27 Jun 2023 06:11:35 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5ASRMfZwyc75Wrz70PPuGHqdvShM3iww5V+3xzZyNAm9kc9hs+JpF7ys4+Lr95IT0GpAyB X-Received: by 2002:a05:6a21:33a6:b0:128:ffb7:dcfe with SMTP id yy38-20020a056a2133a600b00128ffb7dcfemr6367687pzb.1.1687871495207; Tue, 27 Jun 2023 06:11:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687871495; cv=none; d=google.com; s=arc-20160816; b=eDXcCZR81aqx9nHqrbqWTPER2odkrtuIy6lcm08+9CNizCl33sccz2drmZJ9wZRlJT thJE0YZ/q2wx1fEUyVWW5k9wEh7amIWAt0t5HI0hMFU1Gse7k7Saf0SmfJYJC0vONTg2 +BAcNUY+Ej+n3sKurImoLeIFtf9r4h3lHMqjorBSs1oAY9Ha3deiyZ/FeRpxquN3f8Q4 Qw+jH0z6q5CTg4Z3wi9CjFpJKpq172UXQPFXuv+tUp1gfTGeeHifwJwPn9BuCxjjgc7o oUbBiDSetU/+OUynLu5LLI6FvKPRflE16VkgKsdiUHAFWD1Dv4dEnPSu89ZrPm/PPgkb rbSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:to:subject:message-id :date:from:in-reply-to:references:mime-version:dkim-signature; bh=tATW33xeNVNgsfO7kNHXzZcJ0gMJZAgbl6N8NUDs/RE=; fh=Ndz0yFjBeaFGbeiZCkZaJYK5LEGYnZNfYnDf1TMwN68=; b=Iuqj88jjoFEgV46cCj1hQUyIVZMPmF/uyb1CiWu63hYTsXmPzlDqoKqcYVw7QxI/P3 Hv7iS3Kh+DbcZqDa8k03P69fVOJ9dEmwq/McmRB52PNigkrlevGt9sbarCjizD/BVZyA LCV/VxbD++RWsctlaAuFen0WlGLLkMVAyz5qp+4W5sPQze9eFr7eyzUuTgbiRHFe/aui 62q5Aia/BZZEAe+PU8nFL0YsgtzOgb+sfgSI3bLeZ1vdl1DXr91ykgPzFKarFK14FDNl 4NpEpI+PbGRJf8yzQYjIKniJSxqY5l+pmOVUMMR9RIG18dSn5zKUgBipOqJPuYXCd8uJ MeRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=nTgRcX6r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v63-20020a638942000000b00543eef37092si7407194pgd.442.2023.06.27.06.11.22; Tue, 27 Jun 2023 06:11:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=nTgRcX6r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230449AbjF0M23 (ORCPT + 99 others); Tue, 27 Jun 2023 08:28:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229926AbjF0M21 (ORCPT ); Tue, 27 Jun 2023 08:28:27 -0400 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 545D72706; Tue, 27 Jun 2023 05:28:24 -0700 (PDT) Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-98e39784a85so464370566b.1; Tue, 27 Jun 2023 05:28:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687868902; x=1690460902; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=tATW33xeNVNgsfO7kNHXzZcJ0gMJZAgbl6N8NUDs/RE=; b=nTgRcX6rj9m25biFDQ+GiAvKhgT0s6sBGS6wrujE1mq8fwQT6kRc2XDapu/rPo8fL8 TOxxqyYuW83myTjNO2zsFHsxnECDbWMByunXlwhcMgJ9OWBYvSjR/cR+spB2ID7evDH1 OLEXKUcNvl3nZanq1vBw4Dw032wAvP8JN0Mr/KQd6Xp/uDnD8rN9ALfDHFKZVkS+0qQQ jhw9/ZSEcTDcsYy2cuplY3aXpxsr0PCAIo5d/c+XC+z5mViBhOmNOWtX5FsseQrN0mcT mArBBcgKnUNZEatu5TFYez+CL5SvlNlpE1JaDwwhaqb/+KaT30faRv1G8OU5CMqcoebv aOgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687868902; x=1690460902; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tATW33xeNVNgsfO7kNHXzZcJ0gMJZAgbl6N8NUDs/RE=; b=Nlft5zqcHq8OM9afHRv3pDTltvAa546WZt46MN7EkqDXEkJ6SGetleOQGNJz185de9 sb91EH4tJSBzoZHlFio55q+h/mrE56Hx2SgShf7FDrsXDsGG85RzUN2yK9q/pBWjXpZz 6LO2CrwRFiIyMYiu+Q6OfJbEycxSKIDdmlL2GFicfZd11fKrquFoU0BPyLHaYZX0ZYR3 5JuJ/X/0Rrnuyc7orMJa98Bj3h57iP53v7tajVcfPVykfLg9J0sXOJwnrjGJUQjTAALE 8DFD463U1rK9R0soWuhZPzeRKJDa8jieDSljQQyTWfs5KG8igCh2iKYCwREWg6Qq/dW3 pz8Q== X-Gm-Message-State: AC+VfDy90bczbj7NrAFo8mFJkgt+YMtSOVahwgx1SlcGxkhJA7aDNxeO OuEK5XF5A5WjED/G/x1/tD3UBlKlucpoR2Qtd+Q= X-Received: by 2002:a17:907:7ba5:b0:982:4b35:c0b6 with SMTP id ne37-20020a1709077ba500b009824b35c0b6mr31461984ejc.1.1687868902416; Tue, 27 Jun 2023 05:28:22 -0700 (PDT) MIME-Version: 1.0 References: <20230627081002.1768990-1-yqsun1997@gmail.com> <20230627104237.GA3601890@gnbcxd0016.gnb.st.com> In-Reply-To: <20230627104237.GA3601890@gnbcxd0016.gnb.st.com> From: sun yq Date: Tue, 27 Jun 2023 20:28:11 +0800 Message-ID: Subject: Re: [PATCH] OOB read and write in mtk multiple places To: yqsun1997@gmail.com, tiffany.lin@mediatek.com, andrew-ct.chen@mediatek.com, yunfei.dong@mediatek.com, matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, 499671216@qq.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When using V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE, the number of planes is controlled by the user. Only checking the oob at the function may miss other functions, so it is appropriate to change the size of the macro. You can refer to other functions, such as mtk_dip_vb2_video_queue_setup, the max plane size of this module is 8 On Tue, Jun 27, 2023 at 6:42=E2=80=AFPM Alain Volmat wrote: > > Hi, > > I had a look at some places where this macro MTK_VCODEC_MAX_PLANES > is being used, such as q_data->bytesperline etc. > This patch seems to be increasing the table size from 3 to 8 but, > if my understanding is correct doesn't solve the issue that > (taking the example you give in vidioc_venc_g_fmt) the table > bytesperline is accessed taking into account a num_planes values which > is unchecked if appropriate for this driver. > > What are the 8 planes you are referring to ? > > While increasing the table to 8 might also be necessary, it seems to me > that the real OOB access issue should be solved by checking the num of > planes value. > > Regards, > Alain > > On Tue, Jun 27, 2023 at 04:10:02PM +0800, yqsun1997@gmail.com wrote: > > From: yqsun1997 > > > > The num_planes max index is 8, > > but bytesperline and bytesperline in struct mtk_q_data, > > The max index is MTK_VCODEC_MAX_PLANES =3D=3D 3, > > so will cause OOB read and write in multiple places.like vidioc_venc_g_= fmt > > same as commit 8fbcf730 > > > > Signed-off-by: yqsun1997 > > --- > > drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h b/= drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h > > index 9acab54fd..c2c157675 100644 > > --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h > > +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_drv.h > > @@ -22,7 +22,7 @@ > > #define MTK_VCODEC_DEC_NAME "mtk-vcodec-dec" > > #define MTK_VCODEC_ENC_NAME "mtk-vcodec-enc" > > > > -#define MTK_VCODEC_MAX_PLANES 3 > > +#define MTK_VCODEC_MAX_PLANES 8 > > #define MTK_V4L2_BENCHMARK 0 > > #define WAIT_INTR_TIMEOUT_MS 1000 > > #define IS_VDEC_LAT_ARCH(hw_arch) ((hw_arch) >=3D MTK_VDEC_LAT_SINGLE_= CORE) > > -- > > 2.39.2 > >