Govindaraj Rajagopal cd4ea5b043 video: driver: fix possible memory corruption issue
__flush_debug_queue() currently uses core->response_packet
or core->packet for flushing debug queue. So these were
allocated only 4096 bytes, but in read_queue(), boundaries
were checked against VIDC_IFACEQ_VAR_HUGE_PKT_SIZE macro
which is of size 1024 * 12 bytes.

So if FW log packet size is in between 4 KB to 12 KB then
read_queue() allows memcpy() into core->response_packet
or core->packet that will lead to redzone corruption issue
with adjacent alive/valid allocations i.e futher lead to
kernel panic at kfree() sequence(during object validation).

Uploaded change to use same sizes during allocation and
read_queue() validation.

Change-Id: If82766c1479d7589605386f3e314ff2ccd97f6d0
Signed-off-by: Govindaraj Rajagopal <quic_grajagop@quicinc.com>
2022-06-23 19:45:09 +05:30
2021-02-23 11:57:18 -08:00
Opis
No description provided
226 MiB
Languages
C 98.7%
C++ 0.9%
Makefile 0.3%
Starlark 0.1%