[PATCH 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths

Next message: Brian Masney: "[PATCH 4/4] clk: implement sync_state support"
Previous message: Brian Masney: "[PATCH 0/4] clk: implement sync_state support"
Next in thread: Doruk Tan Ozturk: "[PATCH 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Doruk Tan Ozturk

Date: Fri Jun 26 2026 - 12:40:55 EST

Two ioctls in the AtomISP staging driver size a kernel buffer from one
user-supplied field but use a *different* user-supplied field as the
copy/store length, with no cross-check, allowing a kernel heap/ISP-memory
out-of-bounds write:

1) atomisp_v4l2_framebuffer_to_css_frame(): frame allocated from
width/height/format, but hmm_store() uses arg->fmt.sizeimage.
2) atomisp_cp_dvs_6axis_config(): DVS 6-axis table allocated from the
stream grid, but copy_from_compatible() uses the user width/height
(both ISP2401 and ISP2400 paths).

Both add a bound check before the copy. Found by 0sec's autonomous
vulnerability analysis (https://0sec.ai); identified by static analysis,
not yet runtime-reproduced (Intel Atom ISP hardware required).

Doruk Tan Ozturk (2):
media: atomisp: validate sizeimage against the allocated frame in
framebuffer-to-CSS
media: atomisp: bound DVS 6-axis table dimensions to the allocated
config

.../staging/media/atomisp/pci/atomisp_cmd.c | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)

--
2.43.0