[PATCH v3 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS
From: Doruk Tan Ozturk
Date: Sat Jun 27 2026 - 06:02:03 EST
atomisp_v4l2_framebuffer_to_css_frame() allocates the CSS frame from
arg->fmt.{width,height,pixelformat}, but then copies and stores
arg->fmt.sizeimage bytes into it. sizeimage is an independent,
user-controlled v4l2_pix_format field, and nothing checks it against the
allocated frame, so a sizeimage larger than width*height*bpp overflows
res->data in hmm_store().
Reject a sizeimage that exceeds the allocated frame (res->data_bytes)
before the copy/store.
Note this ioctl path (S_ISP_FPN_TABLE) is currently gated off by
2b7eb2c5dc72 ("staging: media: atomisp: Disallow all private IOCTLs"),
so it is not reachable from userspace today; this hardens the
disabled-but-revivable path.
Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
Found by static analysis; not yet runtime-reproduced (Intel
Baytrail/Cherrytrail ISP hardware required).
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Assisted-by: 0sec:claude-opus-4.8
Signed-off-by: Doruk Tan Ozturk <doruk@xxxxxxx>
---
drivers/staging/media/atomisp/pci/atomisp_cmd.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
index fec369575d88..04e7b2e03f34 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
@@ -3323,6 +3323,11 @@ atomisp_v4l2_framebuffer_to_css_frame(const struct v4l2_framebuffer *arg,
goto err;
}
+ if (arg->fmt.sizeimage > res->data_bytes) {
+ ret = -EINVAL;
+ goto err;
+ }
+
tmp_buf = vmalloc(arg->fmt.sizeimage);
if (!tmp_buf) {
ret = -ENOMEM;
--
2.53.0