[PATCH 5.11 226/775] media: atomisp: Fix a buffer overflow in debug code

From: Greg Kroah-Hartman
Date: Mon Mar 01 2021 - 23:15:02 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.10 635/663] spi: fsl: invert spisel_boot signal on MPC8309"
Previous message: Greg Kroah-Hartman: "[PATCH 5.10 566/663] media: smipcie: fix interrupt handling and IR timeout"
In reply to: Greg Kroah-Hartman: "[PATCH 5.11 026/775] Bluetooth: Fix initializing response id after clearing struct"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.11 010/775] PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

[ Upstream commit 625993166b551d633917ca35d4afb7b46d7451b4 ]

The "pad" variable is a user controlled string and we haven't properly
clamped it at this point so the debug code could print from beyond the
of the array.

Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
.../media/atomisp/pci/atomisp_subdev.c | 24 ++++++++++++-------
1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/drivers/staging/media/atomisp/pci/atomisp_subdev.c b/drivers/staging/media/atomisp/pci/atomisp_subdev.c
index b666cb23e5ca1..2ef5f44e4b6b6 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_subdev.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_subdev.c
@@ -349,12 +349,20 @@ static int isp_subdev_get_selection(struct v4l2_subdev *sd,
return 0;
}

-static char *atomisp_pad_str[] = { "ATOMISP_SUBDEV_PAD_SINK",
- "ATOMISP_SUBDEV_PAD_SOURCE_CAPTURE",
- "ATOMISP_SUBDEV_PAD_SOURCE_VF",
- "ATOMISP_SUBDEV_PAD_SOURCE_PREVIEW",
- "ATOMISP_SUBDEV_PAD_SOURCE_VIDEO"
- };
+static const char *atomisp_pad_str(unsigned int pad)
+{
+ static const char *const pad_str[] = {
+ "ATOMISP_SUBDEV_PAD_SINK",
+ "ATOMISP_SUBDEV_PAD_SOURCE_CAPTURE",
+ "ATOMISP_SUBDEV_PAD_SOURCE_VF",
+ "ATOMISP_SUBDEV_PAD_SOURCE_PREVIEW",
+ "ATOMISP_SUBDEV_PAD_SOURCE_VIDEO",
+ };
+
+ if (pad >= ARRAY_SIZE(pad_str))
+ return "ATOMISP_INVALID_PAD";
+ return pad_str[pad];
+}

int atomisp_subdev_set_selection(struct v4l2_subdev *sd,
struct v4l2_subdev_pad_config *cfg,
@@ -378,7 +386,7 @@ int atomisp_subdev_set_selection(struct v4l2_subdev *sd,

dev_dbg(isp->dev,
"sel: pad %s tgt %s l %d t %d w %d h %d which %s f 0x%8.8x\n",
- atomisp_pad_str[pad], target == V4L2_SEL_TGT_CROP
+ atomisp_pad_str(pad), target == V4L2_SEL_TGT_CROP
? "V4L2_SEL_TGT_CROP" : "V4L2_SEL_TGT_COMPOSE",
r->left, r->top, r->width, r->height,
which == V4L2_SUBDEV_FORMAT_TRY ? "V4L2_SUBDEV_FORMAT_TRY"
@@ -612,7 +620,7 @@ void atomisp_subdev_set_ffmt(struct v4l2_subdev *sd,
enum atomisp_input_stream_id stream_id;

dev_dbg(isp->dev, "ffmt: pad %s w %d h %d code 0x%8.8x which %s\n",
- atomisp_pad_str[pad], ffmt->width, ffmt->height, ffmt->code,
+ atomisp_pad_str(pad), ffmt->width, ffmt->height, ffmt->code,
which == V4L2_SUBDEV_FORMAT_TRY ? "V4L2_SUBDEV_FORMAT_TRY"
: "V4L2_SUBDEV_FORMAT_ACTIVE");

--
2.27.0

Next message: Greg Kroah-Hartman: "[PATCH 5.10 635/663] spi: fsl: invert spisel_boot signal on MPC8309"
Previous message: Greg Kroah-Hartman: "[PATCH 5.10 566/663] media: smipcie: fix interrupt handling and IR timeout"
In reply to: Greg Kroah-Hartman: "[PATCH 5.11 026/775] Bluetooth: Fix initializing response id after clearing struct"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.11 010/775] PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]