Re: [PATCH v2 2/4] media: venus: hfi_parser: avoid OOB access beyond payload word count

From: Vikash Garodia
Date: Mon Dec 02 2024 - 09:39:01 EST



On 12/2/2024 5:38 PM, Bryan O'Donoghue wrote:
> On 28/11/2024 05:05, Vikash Garodia wrote:
>> words_count denotes the number of words in total payload, while data
>> points to payload of various property within it. When words_count
>> reaches last word, data can access memory beyond the total payload. This
>> can lead to OOB access. Refactor the parsing logic such that the
>> remaining payload is checked before parsing it.
>>
>> Cc: stable@xxxxxxxxxxxxxxx
>> Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
>> Signed-off-by: Vikash Garodia <quic_vgarodia@xxxxxxxxxxx>
>> ---
>>   drivers/media/platform/qcom/venus/hfi_parser.c | 57 +++++++++++++++++++++-----
>>   1 file changed, 46 insertions(+), 11 deletions(-)
>>
>> diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c
>> b/drivers/media/platform/qcom/venus/hfi_parser.c
>> index
>> 1cc17f3dc8948160ea6c3015d2c03e475b8aa29e..14349c2f84b205a8b79dee3acff1408bb63ac54a 100644
>> --- a/drivers/media/platform/qcom/venus/hfi_parser.c
>> +++ b/drivers/media/platform/qcom/venus/hfi_parser.c
>> @@ -282,8 +282,8 @@ static int hfi_platform_parser(struct venus_core *core,
>> struct venus_inst *inst)
>>   u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
>>              u32 size)
>>   {
>> +    u32 *words = buf, *payload, codecs = 0, domain = 0;
>>       unsigned int words_count = size >> 2;
>> -    u32 *word = buf, *data, codecs = 0, domain = 0;
>>       int ret;
>>         ret = hfi_platform_parser(core, inst);
>> @@ -301,36 +301,71 @@ u32 hfi_parser(struct venus_core *core, struct
>> venus_inst *inst, void *buf,
>>       }
>>         while (words_count) {
>> -        data = word + 1;
>> +        payload = words + 1;
>>   -        switch (*word) {
>> +        switch (*words) {
>>           case HFI_PROPERTY_PARAM_CODEC_SUPPORTED:
>> -            parse_codecs(core, data);
>> +            if (words_count < sizeof(struct hfi_codec_supported))
>> +                return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
>> +
>> +            parse_codecs(core, payload);
>>               init_codecs(core);
>> +            words_count -= sizeof(struct hfi_codec_supported);
>> +            words += sizeof(struct hfi_codec_supported);
>>               break;
>>           case HFI_PROPERTY_PARAM_MAX_SESSIONS_SUPPORTED:
>> -            parse_max_sessions(core, data);
>> +            if (words_count < sizeof(struct hfi_max_sessions_supported))
>> +                return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
>> +
>> +            parse_max_sessions(core, payload);
>> +            words_count -= sizeof(struct hfi_max_sessions_supported);
>> +            words += sizeof(struct hfi_max_sessions_supported);
>>               break;
>>           case HFI_PROPERTY_PARAM_CODEC_MASK_SUPPORTED:
>> -            parse_codecs_mask(&codecs, &domain, data);
>> +            if (words_count < sizeof(struct hfi_codec_mask_supported))
>> +                return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
>> +
>> +            parse_codecs_mask(&codecs, &domain, payload);
>> +            words_count -= sizeof(struct hfi_codec_mask_supported);
>> +            words += sizeof(struct hfi_codec_mask_supported);
>>               break;
>>           case HFI_PROPERTY_PARAM_UNCOMPRESSED_FORMAT_SUPPORTED:
>> -            parse_raw_formats(core, codecs, domain, data);
>> +            if (words_count < sizeof(struct hfi_uncompressed_format_supported))
>> +                return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
>> +
>> +            parse_raw_formats(core, codecs, domain, payload);
>> +            words_count -= sizeof(struct hfi_uncompressed_format_supported);
>> +            words += sizeof(struct hfi_uncompressed_format_supported);
>>               break;
>>           case HFI_PROPERTY_PARAM_CAPABILITY_SUPPORTED:
>> -            parse_caps(core, codecs, domain, data);
>> +            if (words_count < sizeof(struct hfi_capabilities))
>> +                return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
>> +
>> +            parse_caps(core, codecs, domain, payload);
>> +            words_count -= sizeof(struct hfi_capabilities);
>> +            words += sizeof(struct hfi_capabilities);
>>               break;
>>           case HFI_PROPERTY_PARAM_PROFILE_LEVEL_SUPPORTED:
>> -            parse_profile_level(core, codecs, domain, data);
>> +            if (words_count < sizeof(struct hfi_profile_level_supported))
>> +                return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
>> +
>> +            parse_profile_level(core, codecs, domain, payload);
>> +            words_count -= sizeof(struct hfi_profile_level_supported);
>> +            words += sizeof(struct hfi_profile_level_supported);
>>               break;
>>           case HFI_PROPERTY_PARAM_BUFFER_ALLOC_MODE_SUPPORTED:
>> -            parse_alloc_mode(core, codecs, domain, data);
>> +            if (words_count < sizeof(struct hfi_buffer_alloc_mode_supported))
>> +                return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
>> +
>> +            parse_alloc_mode(core, codecs, domain, payload);
>> +            words_count -= sizeof(struct hfi_buffer_alloc_mode_supported);
>> +            words += sizeof(struct hfi_buffer_alloc_mode_supported);
>>               break;
>>           default:
>>               break;
>>           }
>>   -        word++;
>> +        words++;
>>           words_count--;
>>       }
>>  
>
> I like the changes made here.
>
> Let me suggest you have the parse_something() return the size of the buffer
> consumed or an error code.
>
> If you calculate the maximum pointer instead of the words_count
>
> frame_size = payload + max;
>
> /* Your while can look like this */
>
> while (words < frame_size)
> switch(*words){
> case HFI_PROPERTY_X:
>     /* if the function returns the bytes consumed */
>     ret = parse_x();
>     break;
> case HFI_PROPERTY_X:
>     ret = parse_x();
>     break;
> }
>
> if (ret < 0)
>     return -ret;
>
> /* you can increment the pointer once at the bottom of the loop */
> words += ret;
> }
>
>
> That way you can
>
> 1. Get rid of words_count and not have to decrement it
> 2. Have one variable words which is checked against the maximum
>    size while(words < frame_size)
> 3. Have the function that consumes the data return
>    how much buffer it has consumed, instead of inlining in the
>    switch
> 4. Increment at the bottom of the switch once instead
>    of several times in the switch
>
> IMO it would be clearer/neater that way. Please consider.
Appreciate your time to dig deeper into it. Expanding your suggestion, filling
in the details

frame_size = words + size;

/* Your while can look like this */

while (words < frame_size)
remaining_size = framesize - words;
switch(*words){
case HFI_PROPERTY_X:
if (remaining_size < sizeof(payload_X)
return insuff_res;
/* if the function returns the bytes consumed */
ret = parse_x(core, words + 1);
break;
case HFI_PROPERTY_Y:
if (remaining_size < sizeof(payload_X)
return insuff_res;
ret = parse_y(core, words + 1);
break;
default:
ret = 1;
}

if (ret < 0)
return -ret;

/* you can increment the pointer once at the bottom of the loop */
words += ret;
}

If you see, words_count is doing the role of remaining_size. In existing
implementation as well, we can move those increments per case to once per loop,
just that to avoid incrementing for default case.

Regards,
Vikash