From 52996a0685fb17a24263f3d2a435c09e4776229e Mon Sep 17 00:00:00 2001 From: Gopireddy Arunteja Reddy Date: Mon, 27 Jan 2025 16:25:31 +0530 Subject: [PATCH] msm: eva: Copy back the validated size to avoid security issue As we are reading the packet from a shared queue, there is a possibility to corrupt the packet->size data of shared queue by malicious FW after validating it in the kernel driver. Change-Id: I3aae85dea560e2805e7bff2c48d4be763da597de Signed-off-by: Gopireddy Arunteja Reddy --- drivers/media/platform/msm/cvp/cvp_hfi.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/msm/cvp/cvp_hfi.c b/drivers/media/platform/msm/cvp/cvp_hfi.c index 549249695b46..1f2fb953c0c4 100644 --- a/drivers/media/platform/msm/cvp/cvp_hfi.c +++ b/drivers/media/platform/msm/cvp/cvp_hfi.c @@ -781,7 +781,7 @@ static int __read_queue(struct cvp_iface_q_info *qinfo, u8 *packet, u32 *read_ptr; u32 receive_request = 0; u32 read_idx, write_idx; - int rc = 0; + int rc = 0; if (!qinfo || !packet || !pb_tx_req_is_set) { dprintk(CVP_ERR, "Invalid Params\n"); @@ -871,6 +871,12 @@ static int __read_queue(struct cvp_iface_q_info *qinfo, u8 *packet, (u8 *)qinfo->q_array.align_virtual_addr, new_read_idx << 2); } + /* + * Copy back the validated size to avoid security issue. As we are reading + * the packet from a shared queue, there is a possibility to get the + * packet->size data corrupted of shared queue by mallicious FW. + */ + *((u32 *) packet) = packet_size_in_words << 2; } else { dprintk(CVP_WARN, "BAD packet received, read_idx: %#x, pkt_size: %d\n",