staging: vc04_services: vchiq-mmal: validate component index in event_to_host_cb()#7325
Closed
Sebasteuo wants to merge 1 commit intoraspberrypi:rpi-6.12.yfrom
Closed
Conversation
…_to_host_cb() event_to_host_cb() uses msg->u.event_to_host.client_component as an index into the instance->component[] array (size VCHIQ_MMAL_MAX_COMPONENTS = 64) without bounds validation. While the kernel generally trusts the hardware it is bound to, a bounds check here hardens the driver against potential firmware bugs that could otherwise cause an uncontrolled out-of-bounds array access and kernel crash. Add a bounds check on comp_idx before using it as an array index and move the component pointer assignment after the validation. Use pr_err_ratelimited() to avoid log flooding. Note: this file does not currently have access to a struct device, so dev_err() is not available. Cc: stable@vger.kernel.org Fixes: b18ee53 ("staging: bcm2835: Break MMAL support out from camera") Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
Collaborator
|
Should this have been submitted against rpi-6.18.y? |
Author
|
rpi-6.18.y wasn't available in the branch list when I opened this, happy to retarget if you can point me to it. |
Collaborator
|
rpi-6.18.y is the list of branches. Right here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a rebase of PR #7296 containing only the first commit,
as requested by @popcornmix.
The remaining three patches (inline_receive buffer check,
port_parameter_set stack overflow, port_parameter_get underflow)
apply to upstream code and will be submitted to the mainline
kernel via the staging mailing list separately.