Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 143f5001 authored by ptak's avatar ptak
Browse files

msm: cvp: OOB write fix due to integer underflow 



If FW send a pkt->size which is less than the sizeof packet structure
then pkt->size - sizeof() would result into an integer underflow.
Due to this the subsequent check would be bypassed and we will
start write to an OOB memory.

Change-Id: Icb3e4e6d64275592ceb6f747de653dcc1c65fec7
Signed-off-by: default avatarptak <quic_ptak@quicinc.com>
parent 02194073

drivers/media/platform/msm/cvp/hfi_response_handler.c

+2 −1
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022-2024, Qualcomm Innovation Center, Inc. All rights reserved.

 */



#include <linux/bitops.h>
@@ -559,7 +560,7 @@ static void hfi_process_sys_get_prop_image_version( 
	int req_bytes;



	req_bytes = pkt->size - sizeof(*pkt);

	if (req_bytes < version_string_size ||

	if (req_bytes < (signed int)version_string_size ||

			!pkt->rg_property_data[1] ||

			pkt->num_properties > 1) {

		dprintk(CVP_ERR, "%s: bad_pkt: %d\n", __func__, req_bytes);