TechPanelGM/kernel_xiaomi_sm8250
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

msm: eva: Copy back the validated size to avoid security issue

Browse Source 
As we are reading the packet from a shared queue, there is a
possibility to corrupt the packet->size data of shared queue by
malicious FW after validating it in the kernel driver.

Change-Id: I3aae85dea560e2805e7bff2c48d4be763da597de
Signed-off-by: Gopireddy Arunteja Reddy <quic_garuntej@quicinc.com>
This commit is contained in:
Gopireddy Arunteja Reddy
2025-01-27 16:25:31 +05:30
committed by Sumangala P
parent f2ff8b3e04
commit 52996a0685
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/media/platform/msm/cvp/cvp_hfi.c
View File

@@ -781,7 +781,7 @@ static int __read_queue(struct cvp_iface_q_info *qinfo, u8 *packet,
u32 *read_ptr; u32 *read_ptr;
u32 receive_request = 0; u32 receive_request = 0;
u32 read_idx, write_idx; u32 read_idx, write_idx;
int rc = 0; int rc = 0;
if (!qinfo || !packet || !pb_tx_req_is_set) { if (!qinfo || !packet || !pb_tx_req_is_set) {
dprintk(CVP_ERR, "Invalid Params\n"); dprintk(CVP_ERR, "Invalid Params\n");
@@ -871,6 +871,12 @@ static int __read_queue(struct cvp_iface_q_info *qinfo, u8 *packet,
(u8 *)qinfo->q_array.align_virtual_addr, (u8 *)qinfo->q_array.align_virtual_addr,
new_read_idx << 2); new_read_idx << 2);
} }
/*
* Copy back the validated size to avoid security issue. As we are reading
* the packet from a shared queue, there is a possibility to get the
* packet->size data corrupted of shared queue by mallicious FW.
*/
*((u32 *) packet) = packet_size_in_words << 2;
} else { } else {
dprintk(CVP_WARN, dprintk(CVP_WARN,
"BAD packet received, read_idx: %#x, pkt_size: %d\n", "BAD packet received, read_idx: %#x, pkt_size: %d\n",