[PATCH v2 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths

Next message: Doruk Tan Ozturk: "[PATCH v2] media: meson: vdec: fix use-after-free of in-use frames in codec_vp9_rm_noshow_frame()"
Previous message: Jernej &#x160;krabec: "Re: [PATCH] media: cedrus: fix memory leak in cedrus_init_ctrls()"
Next in thread: Doruk Tan Ozturk: "[PATCH v2 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Doruk Tan Ozturk

Date: Sat Jun 27 2026 - 02:39:39 EST

Two ioctl paths in the Intel AtomISP staging driver share the same
defect class: one user-controlled field sizes the destination buffer
while a separate user-controlled field sizes the copy/store, with no
cross-validation between them. A local caller on an atomisp V4L2 device
can drive a kernel heap out-of-bounds write with attacker-controlled
length (and, for both, attacker-controlled contents).

Patch 1 (framebuffer-to-CSS, FPN / S_FBUF path) bounds arg->fmt.sizeimage
to the frame allocated from width/height/format before the copy/store.

Patch 2 (S_DIS_VECTOR DVS 6-axis config) bounds the user-supplied
width/height dimensions to the stream-grid-sized destination config in
both the ISP2401 and ISP2400 branches before the first copy.

Both were found by 0sec's autonomous vulnerability analysis
(https://0sec.ai) via static analysis; neither is yet runtime-reproduced
(Intel Baytrail/Cherrytrail ISP hardware required).

v2: add Fixes: tags (Dan Carpenter).

Doruk Tan Ozturk (2):
media: atomisp: validate sizeimage against the allocated frame in
framebuffer-to-CSS
media: atomisp: bound DVS 6-axis table dimensions to the allocated
config

.../staging/media/atomisp/pci/atomisp_cmd.c | 39 +++++++++++++++++++
1 file changed, 39 insertions(+)

--
2.53.0