Evolution-X-Devices/kernel_nothing_sm7325
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "msm: eva: Copy back the validated size to avoid security issue" into kernel.lnx.5.4.r1-rel

Browse Source
This commit is contained in:
Linux Build Service Account
2025-01-24 04:34:56 -08:00
committed by Gerrit - the friendly Code Review server
parent d7c484822f f4425004fe
commit c96b7bed76
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/media/platform/msm/cvp/cvp_hfi.c
View File

@@ -717,7 +717,7 @@ static int __read_queue(struct cvp_iface_q_info *qinfo, u8 *packet,
u32 *read_ptr;
u32 receive_request = 0;
u32 read_idx, write_idx;
int rc = 0;
int rc = 0;
if (!qinfo || !packet || !pb_tx_req_is_set) {
dprintk(CVP_ERR, "Invalid Params\n");
@@ -807,6 +807,12 @@ static int __read_queue(struct cvp_iface_q_info *qinfo, u8 *packet,
(u8 *)qinfo->q_array.align_virtual_addr,
new_read_idx << 2);
}
/*
* Copy back the validated size to avoid security issue. As we are reading
* the packet from a shared queue, there is a possibility to get the
* packet->size data corrupted of shared queue by mallicious FW.
*/
*((u32 *) packet) = packet_size_in_words << 2;
} else {
dprintk(CVP_WARN,
"BAD packet received, read_idx: %#x, pkt_size: %d\n",