DigiGoon/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: eva: Copy back the validated size to avoid security issue

Browse source 
As we are reading the packet from a shared queue, there is a
possibility to corrupt the packet->size data of shared queue by
malicious FW after validating it in the kernel driver.

Change-Id: I9bff8f2daa64054eada37de54fe3fa837d57b22a
Signed-off-by: Aniruddh Sharma <quic_anirshar@quicinc.com>
Signed-off-by: Madhu Ananthula <quic_mananthu@quicinc.com>
(cherry picked from commit bb8a45801d247ebe5201e1e97d4e890142d6cbf7)
This commit is contained in:
Madhu Ananthula 2025-01-17 12:15:04 +05:30 committed by Vivekananda T
parent 59b19eff23
commit f4425004fe
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
drivers/media/platform/msm/cvp/cvp_hfi.c
View file

@ -717,7 +717,7 @@ static int __read_queue(struct cvp_iface_q_info *qinfo, u8 *packet,
u32 *read_ptr;
u32 receive_request = 0;
u32 read_idx, write_idx;
int rc = 0;
int rc = 0;
if (!qinfo || !packet || !pb_tx_req_is_set) {
dprintk(CVP_ERR, "Invalid Params\n");
@ -807,6 +807,12 @@ static int __read_queue(struct cvp_iface_q_info *qinfo, u8 *packet,
(u8 *)qinfo->q_array.align_virtual_addr,
new_read_idx << 2);
}
/*
* Copy back the validated size to avoid security issue. As we are reading
* the packet from a shared queue, there is a possibility to get the
* packet->size data corrupted of shared queue by mallicious FW.
*/
*((u32 *) packet) = packet_size_in_words << 2;
} else {
dprintk(CVP_WARN,
"BAD packet received, read_idx: %#x, pkt_size: %d\n",