From patchwork Sun Mar 19 21:51:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 13180652 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DE5E4C7618A for ; Sun, 19 Mar 2023 23:21:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Reply-To:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Cc:To: Subject:Date:From:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=8uP2ftjuZMgmjALtIEmTr42N7Z3F7i4dDiu5/PnVRfQ=; b=MHJBh8ReeBoF/X ZHbI3IW6/kKOpdIPZZa4ny/mhkscMg7yhNydoRW4KQJZqcDJlSxV19ntOZapRSuynmo74PcQ6veZC 8lMW386FyxsPDofEWnnNP62R2lPLpIsvoU5Nb4vul8MgUrCc56iDUnhqsWfuccRhv5lNQqEiYb901 HXGZ6uqcwAYczhPx2q8YFzkrmXTQQ3WHnv8Sem0A+cnN/YQx6Zr3Xx9o/uBKwLyT/ioUmrxDul9u/ muFTnj+d1CSCTtZRMjJVi5oi2QTQWdPJk4PeBjNb+fn2JZ2Achlb2c+G3ZlyZEotieVqFJjqsaY3+ y5Lhh59p/P6Dhd4uQxmg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1pe2Jl-007cUQ-2M; Sun, 19 Mar 2023 23:20:01 +0000 Received: from www.linuxtv.org ([130.149.80.248]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pe2Jh-007cMg-0P for linux-arm-kernel@lists.infradead.org; Sun, 19 Mar 2023 23:19:59 +0000 Received: from mchehab by www.linuxtv.org with local (Exim 4.92) (envelope-from ) id 1pe2JY-003ZdE-9L; Sun, 19 Mar 2023 23:19:48 +0000 From: Mauro Carvalho Chehab Date: Sun, 19 Mar 2023 21:51:43 +0000 Subject: [git:media_stage/master] media: imx-jpeg: Bounds check sizeimage access To: linuxtv-commits@linuxtv.org Cc: Hans Verkuil , linux-arm-kernel@lists.infradead.org, Sascha Hauer , Pengutronix Kernel Team , NXP Linux Team , Fabio Estevam , Mirela Rabulea , Kees Cook , Shawn Guo Mail-followup-to: linux-media@vger.kernel.org Forward-to: linux-media@vger.kernel.org Message-Id: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230319_161957_167576_2A6341FD X-CRM114-Status: GOOD ( 14.15 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: linux-media@vger.kernel.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This is an automatic generated email to let you know that the following patch were queued: Subject: media: imx-jpeg: Bounds check sizeimage access Author: Kees Cook Date: Sat Feb 4 19:38:05 2023 +0100 The call of mxc_jpeg_get_plane_size() from mxc_jpeg_dec_irq() sets plane_no argument to 1. The compiler sees that it's possible to end up with an access beyond the bounds of sizeimage, if mem_planes was too large: if (plane_no >= fmt->mem_planes) // mem_planes = 2+ return 0; if (fmt->mem_planes == fmt->comp_planes) // comp_planes != mem_planes return q_data->sizeimage[plane_no]; if (plane_no < fmt->mem_planes - 1) // mem_planes = 2 return q_data->sizeimage[plane_no]; comp_planes == 0 or 1 is safe. comp_planes > 2 would be out of bounds. (This isn't currently possible given the contents of mxc_formats, though.) Silence the warning by bounds checking comp_planes for future robustness. Seen with GCC 13: In function 'mxc_jpeg_get_plane_size', inlined from 'mxc_jpeg_dec_irq' at ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:729:14: ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:42: warning: array subscript 2 is above array bounds of 'u32[2]' {aka 'unsigned int[2]'} [-Warray-bounds=] 641 | size += q_data->sizeimage[i]; | ~~~~~~~~~~~~~~~~~^~~ In file included from ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.h:112, from ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:63: ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h: In function 'mxc_jpeg_dec_irq': ../drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h:84:41: note: while referencing 'sizeimage' 84 | u32 sizeimage[MXC_JPEG_MAX_PLANES]; | ^~~~~~~~~ Cc: Mirela Rabulea Cc: NXP Linux Team Cc: Shawn Guo Cc: Sascha Hauer Cc: Pengutronix Kernel Team Cc: Fabio Estevam Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Kees Cook Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c index f085f14d676a..c898116b763a 100644 --- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c @@ -637,6 +637,11 @@ static u32 mxc_jpeg_get_plane_size(struct mxc_jpeg_q_data *q_data, u32 plane_no) return q_data->sizeimage[plane_no]; size = q_data->sizeimage[fmt->mem_planes - 1]; + + /* Should be impossible given mxc_formats. */ + if (WARN_ON_ONCE(fmt->comp_planes > ARRAY_SIZE(q_data->sizeimage))) + return size; + for (i = fmt->mem_planes; i < fmt->comp_planes; i++) size += q_data->sizeimage[i];