| Message ID | 20200530024117.24613-1-baijiaju1990@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | media: venus: fix possible buffer overlow casued bad DMA value in venus_sfr_print() | expand |
Em Sat, 30 May 2020 10:41:17 +0800 Jia-Ju Bai <baijiaju1990@gmail.com> escreveu: > The value hdev->sfr.kva is stored in DMA memory, and it is assigned to > sfr, so sfr->buf_size can be modified at anytime by malicious hardware. > In this case, a buffer overflow may happen when the code > "sfr->data[sfr->buf_size - 1]" is executed. > > To fix this possible bug, sfr->buf_size is assigned to a local variable, > and then this variable is checked before being used. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > --- > drivers/media/platform/qcom/venus/hfi_venus.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c > index 0d8855014ab3..4251a9e47a1b 100644 > --- a/drivers/media/platform/qcom/venus/hfi_venus.c > +++ b/drivers/media/platform/qcom/venus/hfi_venus.c > @@ -960,18 +960,23 @@ static void venus_sfr_print(struct venus_hfi_device *hdev) > { > struct device *dev = hdev->core->dev; > struct hfi_sfr *sfr = hdev->sfr.kva; > + u32 buf_size; > void *p; > > if (!sfr) > return; > > - p = memchr(sfr->data, '\0', sfr->buf_size); > + buf_size = sfr->buf_size; > + if (buf_size > 1) That seems plain wrong to me... I suspect you wanted to do, instead: if (buf_size < 1) or even: if (buf_size < 1 || buf_size >= maximum_size_of_data) > + return; > + > + p = memchr(sfr->data, '\0', buf_size); > /* > * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates > * that Venus is in the process of crashing. > */ > if (!p) > - sfr->data[sfr->buf_size - 1] = '\0'; > + sfr->data[buf_size - 1] = '\0'; Well, a malicious hardware with DMA access could simply write 0 to some random address, without needing to rely on the value of sfr->buf_size. I can't see how a change like that would prevent that. A check like that only makes sense if the driver can ever call this function with an invalid value for sfr->buf_size. > > dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data); > } Thanks, Mauro
diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c index 0d8855014ab3..4251a9e47a1b 100644 --- a/drivers/media/platform/qcom/venus/hfi_venus.c +++ b/drivers/media/platform/qcom/venus/hfi_venus.c @@ -960,18 +960,23 @@ static void venus_sfr_print(struct venus_hfi_device *hdev) { struct device *dev = hdev->core->dev; struct hfi_sfr *sfr = hdev->sfr.kva; + u32 buf_size; void *p; if (!sfr) return; - p = memchr(sfr->data, '\0', sfr->buf_size); + buf_size = sfr->buf_size; + if (buf_size > 1) + return; + + p = memchr(sfr->data, '\0', buf_size); /* * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates * that Venus is in the process of crashing. */ if (!p) - sfr->data[sfr->buf_size - 1] = '\0'; + sfr->data[buf_size - 1] = '\0'; dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data); }
The value hdev->sfr.kva is stored in DMA memory, and it is assigned to sfr, so sfr->buf_size can be modified at anytime by malicious hardware. In this case, a buffer overflow may happen when the code "sfr->data[sfr->buf_size - 1]" is executed. To fix this possible bug, sfr->buf_size is assigned to a local variable, and then this variable is checked before being used. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- drivers/media/platform/qcom/venus/hfi_venus.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)