From 3bc875b30c06fa6e3cadd8413ae4e4e24c28ff96 Mon Sep 17 00:00:00 2001 From: Palak Joshi Date: Fri, 17 May 2024 13:29:06 +0530 Subject: [PATCH 1/5] msm: eva: Added check for valid buffer offset Check total number of kernel fences if its in limit or not. Change-Id: Ibeaeca085bea9942dcab0fa2ad574c717d2cc104 Signed-off-by: Palak Joshi --- msm/eva/msm_cvp.c | 20 +++++++++++++++++++- msm/eva/msm_cvp_buf.c | 14 +++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/msm/eva/msm_cvp.c b/msm/eva/msm_cvp.c index f30b6e929a..b4afdeaf29 100644 --- a/msm/eva/msm_cvp.c +++ b/msm/eva/msm_cvp.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include "msm_cvp.h" @@ -493,8 +493,18 @@ static int cvp_populate_fences( struct eva_kmd_hfi_packet *in_pkt, enum op_mode mode; struct cvp_buf_type *buf; bool override; + unsigned int total_fence_count = 0; int rc = 0; + cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; + if (!offset || !num) + return 0; + + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + rc = -EINVAL; + goto exit; + } override = get_pkt_fenceoverride((struct cvp_hal_session_cmd_pkt*)in_pkt); @@ -585,7 +595,15 @@ kernel_fence: f->num_fences++; buf->fence_type &= ~INPUT_FENCE_BITMASK; buf->input_handle = 0; + total_fence_count++; } + if (buf->output_handle) + total_fence_count++; + } + if (total_fence_count > MAX_HFI_FENCE_SIZE) { + dprintk(CVP_ERR, "Invalid total_fence_count %d\n", total_fence_count); + rc = -EINVAL; + goto free_exit; } f->output_index = f->num_fences; diff --git a/msm/eva/msm_cvp_buf.c b/msm/eva/msm_cvp_buf.c index f3a7876d9e..288b408904 100644 --- a/msm/eva/msm_cvp_buf.c +++ b/msm/eva/msm_cvp_buf.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -1781,6 +1781,10 @@ int msm_cvp_unmap_user_persist(struct msm_cvp_inst *inst, if (!offset || !buf_num) return 0; + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + return -EINVAL; + } cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; for (i = 0; i < buf_num; i++) { buf = (struct cvp_buf_type *)&in_pkt->pkt_data[offset]; @@ -1815,6 +1819,10 @@ int msm_cvp_map_user_persist(struct msm_cvp_inst *inst, if (!offset || !buf_num) return 0; + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + return -EINVAL; + } cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; for (i = 0; i < buf_num; i++) { buf = (struct cvp_buf_type *)&in_pkt->pkt_data[offset]; @@ -1857,6 +1865,10 @@ int msm_cvp_map_frame(struct msm_cvp_inst *inst, if (!offset || !buf_num) return 0; + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + return -EINVAL; + } cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; ktid = atomic64_inc_return(&inst->core->kernel_trans_id); ktid &= (FENCE_BIT - 1); From 00a07388b1638319559aab80672d308d54cd59dc Mon Sep 17 00:00:00 2001 From: Gopireddy Arunteja Reddy Date: Fri, 10 May 2024 14:31:06 +0530 Subject: [PATCH 2/5] msm: eva: UAF issue in mapping wncc buffers Adding wncc buf only if the wncc buf count doesn't exceed the 'EVA_KMD_WNCC_MAX_SRC_BUFS'. Change-Id: I33a98868b90bd3819a47f533eb115543b19186ac Signed-off-by: Gopireddy Arunteja Reddy --- msm/eva/msm_cvp_buf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/msm/eva/msm_cvp_buf.c b/msm/eva/msm_cvp_buf.c index f3a7876d9e..f494e662d9 100644 --- a/msm/eva/msm_cvp_buf.c +++ b/msm/eva/msm_cvp_buf.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -536,11 +536,11 @@ int msm_cvp_map_buf_wncc(struct msm_cvp_inst *inst, } } - list_add_tail(&cbuf->list, &inst->cvpwnccbufs.list); for (i = 0; i < EVA_KMD_WNCC_MAX_SRC_BUFS; i++) { if (inst->cvpwnccbufs_table[i].iova == 0) { + list_add_tail(&cbuf->list, &inst->cvpwnccbufs.list); inst->cvpwnccbufs_num++; inst->cvpwnccbufs_table[i].fd = buf->fd; inst->cvpwnccbufs_table[i].iova = smem->device_addr; From 9be225ebfdbcee6553f5b727266081416ae5930f Mon Sep 17 00:00:00 2001 From: Gopireddy Arunteja Reddy Date: Fri, 10 May 2024 13:00:52 +0530 Subject: [PATCH 3/5] msm: eva: Resource leak in get_sys_prop Calling dma_buf_put to decrement the f_count in error scenario. Change-Id: I9c9db10bad46b38330c9221f57457ddd6a80c029 Signed-off-by: Gopireddy Arunteja Reddy --- msm/eva/msm_cvp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/msm/eva/msm_cvp.c b/msm/eva/msm_cvp.c index f30b6e929a..d2bb3c98de 100644 --- a/msm/eva/msm_cvp.c +++ b/msm/eva/msm_cvp.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include "msm_cvp.h" @@ -1119,6 +1119,7 @@ static int msm_cvp_get_sysprop(struct msm_cvp_inst *inst, rc = dma_buf_fd(hfi->sfr.mem_data.dma_buf, O_RDONLY | O_CLOEXEC); if (rc < 0) { dprintk(CVP_WARN, "Failed get dma_buf fd %d\n", rc); + dma_buf_put(hfi->sfr.mem_data.dma_buf); break; } From 12119c6299de371dd71afce0aa4860fe52d80281 Mon Sep 17 00:00:00 2001 From: Gopireddy Arunteja Reddy Date: Sun, 26 May 2024 23:13:07 +0530 Subject: [PATCH 4/5] msm: eva: OOB write fix due to integer underflow If FW send a pkt->size which is less than the sizeof packet structure then pkt->size - sizeof() would result into an integer underflow. Due to this the subsequent check would be by passed and we will start write to an OOB memory. Change-Id: I8d33602a707a4bab07c5db53abe252bd480bfb84 Signed-off-by: Gopireddy Arunteja Reddy --- msm/eva/hfi_response_handler.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/msm/eva/hfi_response_handler.c b/msm/eva/hfi_response_handler.c index 0cb9559f63..89f7b2b68d 100644 --- a/msm/eva/hfi_response_handler.c +++ b/msm/eva/hfi_response_handler.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -624,7 +624,7 @@ static void hfi_process_sys_get_prop_image_version( int req_bytes; req_bytes = pkt->size - sizeof(*pkt); - if (req_bytes < version_string_size || + if (req_bytes < (signed int)version_string_size || !pkt->rg_property_data[1] || pkt->num_properties > 1) { dprintk(CVP_ERR, "%s: bad_pkt: %d\n", __func__, req_bytes); From 9ab52a824ab6738c19d15b85bfb86f23daf40312 Mon Sep 17 00:00:00 2001 From: Pranay Varma Kopanati Date: Sun, 12 May 2024 14:41:32 +0530 Subject: [PATCH 5/5] msm: eva: Adding kref count for cvp_get_inst_from_id Adding count for instance Change-Id: I1de6e3d4371f1b473907390afafa11e41806671b Signed-off-by: Pranay Varma Kopanati --- msm/eva/hfi_response_handler.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/msm/eva/hfi_response_handler.c b/msm/eva/hfi_response_handler.c index 0cb9559f63..f5d153e238 100644 --- a/msm/eva/hfi_response_handler.c +++ b/msm/eva/hfi_response_handler.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -487,7 +487,7 @@ retry: } } - inst = match ? inst : NULL; + inst = match && kref_get_unless_zero(&inst->kref) ? inst : NULL; mutex_unlock(&core->lock); } else { if (core->state == CVP_CORE_UNINIT) @@ -546,6 +546,7 @@ static int hfi_process_session_dump_notify(u32 device_id, info->response_type = HAL_SESSION_DUMP_NOTIFY; info->response.cmd = cmd_done; + cvp_put_inst(inst); return 0; } @@ -584,7 +585,7 @@ static int hfi_process_session_cvp_msg(u32 device_id, sess_msg = cvp_kmem_cache_zalloc(&cvp_driver->msg_cache, GFP_KERNEL); if (sess_msg == NULL) { dprintk(CVP_ERR, "%s runs out msg cache memory\n", __func__); - return -ENOMEM; + goto error_no_mem; } memcpy(&sess_msg->pkt, pkt, get_msg_size(pkt)); @@ -607,11 +608,14 @@ static int hfi_process_session_cvp_msg(u32 device_id, info->response_type = HAL_NO_RESP; + cvp_put_inst(inst); return 0; error_handle_msg: spin_unlock(&sq->lock); cvp_kmem_cache_free(&cvp_driver->msg_cache, sess_msg); +error_no_mem: + cvp_put_inst(inst); return -ENOMEM; }