Re: [PATCH v2 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths

Next message: Zheng Gu: "Re: [PATCH 0/3] dm-pcache: validate on-disk fields before use"
Previous message: Mingyu Wang: "[PATCH v2] i2c: i801: Fix hardware state machine corruption and stack-out-of-bounds"
In reply to: Doruk Tan Ozturk: "[PATCH v2 2/2] media: atomisp: bound DVS 6-axis table dimensions to the allocated config"
Next in thread: Doruk Tan Ozturk: "Re: [PATCH v2 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Sat Jun 27 2026 - 03:59:27 EST

On Sat, Jun 27, 2026 at 08:39:21AM +0200, Doruk Tan Ozturk wrote:
> Two ioctl paths in the Intel AtomISP staging driver share the same
> defect class: one user-controlled field sizes the destination buffer
> while a separate user-controlled field sizes the copy/store, with no
> cross-validation between them. A local caller on an atomisp V4L2 device
> can drive a kernel heap out-of-bounds write with attacker-controlled
> length (and, for both, attacker-controlled contents).
>
> Patch 1 (framebuffer-to-CSS, FPN / S_FBUF path) bounds arg->fmt.sizeimage
> to the frame allocated from width/height/format before the copy/store.
>
> Patch 2 (S_DIS_VECTOR DVS 6-axis config) bounds the user-supplied
> width/height dimensions to the stream-grid-sized destination config in
> both the ISP2401 and ISP2400 branches before the first copy.
>
> Both were found by 0sec's autonomous vulnerability analysis
> (https://0sec.ai) via static analysis; neither is yet runtime-reproduced
> (Intel Baytrail/Cherrytrail ISP hardware required).

Please document this in the assisted-by tag as the documentation
requires.