Received: by 2002:a05:6358:51dd:b0:131:369:b2a3 with SMTP id 29csp585468rwl; Wed, 9 Aug 2023 20:55:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGtFwH6w+pyApTTNPtIBgCj9BuR8w0l4PpN5yoef7y/mlTaFq8+tqD3JuSlLGdwNAKiUIxe X-Received: by 2002:a17:907:7628:b0:99b:605b:1f49 with SMTP id jy8-20020a170907762800b0099b605b1f49mr922446ejc.36.1691639707872; Wed, 09 Aug 2023 20:55:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691639707; cv=none; d=google.com; s=arc-20160816; b=QAlUXuVaJKyBGbGinv/qW9/t8XE97sblwLFhbR9KiWi9lbBgyiYtKtkTdB1dEqWmEe ZsSkzvAAjPV+Qi5mw/otRCUe3JqmEs9y6LrNHHhARTX7fMiH1BDQ4hdg4WEKtqR2Y+kd 9oQIIY5/g+adfMKli/XdVhBlFWmuFtVQwHOA/EDK9VYp1aNYEhwKq1jlEobI3UyKCAyB xUaNEjX5XaQwXewLrAAH8+NtRdXkY/DAf4HiEn97/9jzS9qRW57sOoYQvSN1q6RDB0JR BmZEOflxMEKcCMkSENkJOMe/MEC+tsvCw/TuB2rTpL+AcXTj7s026O5HnhhHFnm1uaBm 2wRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=Id3qv/5ZcdycMZ8v5o4bZF4k+g39Mbe/s38TYj1GJkI=; fh=GcndwOMBf1bnpW+bW+jgpNWzVvxAZNEz+Wt3jUkG7qY=; b=UJBYalPT7MKxeFwUx5WoB2O+tZdJebNWeiwrsFZpX7Z43OSdGiGesY0HLY8DNIdVu8 xqM20ELnpxu9DvOye6uvXUgzGFiMqqGIhSv1rUFKtl9QxQG52GUXF5hlrPvg9+PKo1CV 2gO+1gMO7UEbfLZo7UCH49IZ8s5uUKoMfeijfPQm+emSVJGfAfa/aPLoMJ1pQ6bCPx8i Lt6Ltx2/zRkx0vnTNPK/VOl2qIKWW9uQoOtYfurV2kxNypDXxux784DxavCtJEprjQRL SqixyoPQJ+x0JUHeHGvC7VYhS9vsMGVRrTu+YmHv5YHIunQ2IUUMsy4MBrKbbwLIc7M0 ndyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b="iag/iiCz"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u9-20020a1709064ac900b0099bc8f0358asi592176ejt.918.2023.08.09.20.54.42; Wed, 09 Aug 2023 20:55:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b="iag/iiCz"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231962AbjHJC0D (ORCPT + 99 others); Wed, 9 Aug 2023 22:26:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47894 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231787AbjHJC0B (ORCPT ); Wed, 9 Aug 2023 22:26:01 -0400 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 44AF31BCF; Wed, 9 Aug 2023 19:26:01 -0700 (PDT) Received: from pps.filterd (m0279870.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37A2JCqQ010471; Thu, 10 Aug 2023 02:25:56 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type; s=qcppdkim1; bh=Id3qv/5ZcdycMZ8v5o4bZF4k+g39Mbe/s38TYj1GJkI=; b=iag/iiCz3X8WQ/KoASNhlaMyNTqnMunQxUNIg0xU5ls+avuv9rlKn1bJxTxxV65RMnKr 0cggecLiUekr85WOD9KCbdHCLApX7F4WPwk8tWnbgFtUyb3BRwh7AmeH7EvAiNkeSplW zwAU5051GVPns+VM4GuSuIPGMcW9pR675gEtRG6uwZJkf4wT7BwjLtdCKI3XyLBly6+h wdxwMWE3zQmckX+byqpzEAvyC7SFEsLxFytKYVCgepojev3ls3q7ebkIQHvHcc0XB2pX lhYHeElQrwsY3NyNbM567ai/ziTDnFj+PFSXazzDiDTWMB4TD1Qql/2R4EfbvPDixvln rQ== Received: from nasanppmta02.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3scnsf83v5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Aug 2023 02:25:56 +0000 Received: from nasanex01a.na.qualcomm.com (nasanex01a.na.qualcomm.com [10.52.223.231]) by NASANPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 37A2Ptg6010223 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Aug 2023 02:25:55 GMT Received: from hu-vgarodia-hyd.qualcomm.com (10.80.80.8) by nasanex01a.na.qualcomm.com (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Wed, 9 Aug 2023 19:25:51 -0700 From: Vikash Garodia To: , , , , , , , CC: , , , , Vikash Garodia Subject: [PATCH v2 3/4] venus: hfi: add checks to handle capabilities from firmware Date: Thu, 10 Aug 2023 07:55:03 +0530 Message-ID: <1691634304-2158-4-git-send-email-quic_vgarodia@quicinc.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1691634304-2158-1-git-send-email-quic_vgarodia@quicinc.com> References: <1691634304-2158-1-git-send-email-quic_vgarodia@quicinc.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nasanex01a.na.qualcomm.com (10.52.223.231) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: ilFCVncCkjlMY-_iU9vbPejh-4ZgEk8J X-Proofpoint-ORIG-GUID: ilFCVncCkjlMY-_iU9vbPejh-4ZgEk8J X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-10_01,2023-08-09_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 bulkscore=0 impostorscore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 adultscore=0 mlxlogscore=999 malwarescore=0 priorityscore=1501 clxscore=1015 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2308100019 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The hfi parser, parses the capabilities received from venus firmware and copies them to core capabilities. Consider below api, for example, fill_caps - In this api, caps in core structure gets updated with the number of capabilities received in firmware data payload. If the same api is called multiple times, there is a possibility of copying beyond the max allocated size in core caps. Similar possibilities in fill_raw_fmts and fill_profile_level functions. Cc: stable@vger.kernel.org Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_parser.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c index 6cf74b2..9d6ba22 100644 --- a/drivers/media/platform/qcom/venus/hfi_parser.c +++ b/drivers/media/platform/qcom/venus/hfi_parser.c @@ -86,6 +86,9 @@ static void fill_profile_level(struct hfi_plat_caps *cap, const void *data, { const struct hfi_profile_level *pl = data; + if (cap->num_pl + num >= HFI_MAX_PROFILE_COUNT) + return; + memcpy(&cap->pl[cap->num_pl], pl, num * sizeof(*pl)); cap->num_pl += num; } @@ -111,6 +114,9 @@ fill_caps(struct hfi_plat_caps *cap, const void *data, unsigned int num) { const struct hfi_capability *caps = data; + if (cap->num_caps + num >= MAX_CAP_ENTRIES) + return; + memcpy(&cap->caps[cap->num_caps], caps, num * sizeof(*caps)); cap->num_caps += num; } @@ -137,6 +143,9 @@ static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts, { const struct raw_formats *formats = fmts; + if (cap->num_fmts + num_fmts >= MAX_FMT_ENTRIES) + return; + memcpy(&cap->fmts[cap->num_fmts], formats, num_fmts * sizeof(*formats)); cap->num_fmts += num_fmts; } @@ -159,6 +168,9 @@ parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data) rawfmts[i].buftype = fmt->buffer_type; i++; + if (i >= MAX_FMT_ENTRIES) + return; + if (pinfo->num_planes > MAX_PLANES) break; -- 2.7.4