Re: [PATCH v3 1/2] media: atomisp: validate sizeimage against the allocated frame in framebuffer-to-CSS
From: Andy Shevchenko
Date: Mon Jun 29 2026 - 12:29:26 EST
On Sat, Jun 27, 2026 at 12:01:18PM +0200, Doruk Tan Ozturk wrote:
> atomisp_v4l2_framebuffer_to_css_frame() allocates the CSS frame from
> arg->fmt.{width,height,pixelformat}, but then copies and stores
> arg->fmt.sizeimage bytes into it. sizeimage is an independent,
> user-controlled v4l2_pix_format field, and nothing checks it against the
> allocated frame, so a sizeimage larger than width*height*bpp overflows
> res->data in hmm_store().
>
> Reject a sizeimage that exceeds the allocated frame (res->data_bytes)
> before the copy/store.
>
> Note this ioctl path (S_ISP_FPN_TABLE) is currently gated off by
> 2b7eb2c5dc72 ("staging: media: atomisp: Disallow all private IOCTLs"),
> so it is not reachable from userspace today; this hardens the
> disabled-but-revivable path.
> Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).
> Found by static analysis; not yet runtime-reproduced (Intel
> Baytrail/Cherrytrail ISP hardware required).
This can go to the comment block. Otherwise you have a tag below already.
Same for other patches in the series.
> Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
> Assisted-by: 0sec:claude-opus-4.8
> Signed-off-by: Doruk Tan Ozturk <doruk@xxxxxxx>
--
With Best Regards,
Andy Shevchenko