Re: [PATCH] staging: media: ipu3: fix out-of-bounds access in imgu_map_node()

Next message: Christoph Hellwig: "Re: [PATCH 4/4] nvme-pci: Use pci_dev_suspend_retention_supported() API during suspend"
Previous message: Zhenzhong Wu: "Re: [PATCH net v4 2/2] selftests/bpf: check epoll readiness during reuseport migration"
In reply to: Greg KH: "Re: [PATCH] staging: media: ipu3: fix out-of-bounds access in imgu_map_node()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sakari Ailus

Date: Wed Apr 22 2026 - 02:38:21 EST

Hi Sajja,

On Wed, Apr 22, 2026 at 11:49:51AM +0530, Sajja Easwar Sai wrote:
> imgu_map_node() walks imgu_node_map[] looking for a CSS queue ID. When
> no match is found the loop exits with i == IMGU_NODE_NUM, which is one
> past the end of every array that is indexed by node id. The value is
> returned without any bounds check, so callers that use it immediately
> as an array subscript produce out-of-bounds reads.
>
> The most critical caller is the threaded IRQ handler
> imgu_isr_threaded(), where b->queue comes directly from firmware; a
> malformed or buggy firmware return could therefore trigger a kernel
> oops.

Have you seen this happen in practice?

--
Regards,

Sakari Ailus