staging: vc04_services: vchiq-mmal: validate component index in event…#7326
Closed
Sebasteuo wants to merge 1 commit intoraspberrypi:rpi-6.18.yfrom
Closed
staging: vc04_services: vchiq-mmal: validate component index in event…#7326Sebasteuo wants to merge 1 commit intoraspberrypi:rpi-6.18.yfrom
Sebasteuo wants to merge 1 commit intoraspberrypi:rpi-6.18.yfrom
Conversation
…_to_host_cb() event_to_host_cb() uses msg->u.event_to_host.client_component as an index into the instance->component[] array (size VCHIQ_MMAL_MAX_COMPONENTS = 64) without bounds validation. While the kernel generally trusts the hardware it is bound to, a bounds check here hardens the driver against potential firmware bugs that could otherwise cause an uncontrolled out-of-bounds array access and kernel crash. Add a bounds check on comp_idx before using it as an array index and move the component pointer assignment after the validation. Use pr_err_ratelimited() to avoid log flooding. Note: this file does not currently have access to a struct device, so dev_err() is not available. Cc: stable@vger.kernel.org Fixes: b18ee53 ("staging: bcm2835: Break MMAL support out from camera") Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
pelwell
reviewed
Apr 21, 2026
Contributor
There was a problem hiding this comment.
This is the second implementation of event_to_host_cb, the first of which is just a stub (https://github.com/raspberrypi/linux/pull/7326/changes#diff-c7eb07be414e4492176f38e319d52a418c65483a6747bda080c0191cbb200df7R234-R243).
How is this meant to work?
Collaborator
There was a problem hiding this comment.
I suspect this is an artifact of rebasing onto the wrong kernel tree.
This commit should look like the one in the other PR (against 6.18): 09cfb46
Contributor
There was a problem hiding this comment.
I agree:
$ git log --oneline pr7326
f94c456841fbf (pr7326) staging: vc04_services: vchiq-mmal: validate component index in event_to_host_cb()
28062d320bded bcachefs: Fix gc handling of bucket gens
86a225c42d44b bcachefs: fix a deadlock on startup
3c5fa33a55ac2 bcachefs: force str_hash code to be inlined
d16b4a77a5c64 bcachefs: Assorted journal refactoring
ecf37a4a80ec0 bcachefs: fs_usage_u64s()
where
$ git show pr7326^
commit 28062d320bded23eb7d24633e6ab11ea3c03487b
Author: Kent Overstreet <kent.overstreet@gmail.com>
Date: Wed Feb 20 17:57:06 2019 -0500
bcachefs: Fix gc handling of bucket gens
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
diff --git a/fs/bcachefs/btree_gc.c b/fs/bcachefs/btree_gc.c
index 56402fc64bc22..c899a77bf8919 100644
--- a/fs/bcachefs/btree_gc.c
+++ b/fs/bcachefs/btree_gc.c
@@ -142,22 +142,23 @@ static int bch2_gc_mark_key(struct bch_fs *c, struct bkey_s_c k,
bkey_for_each_ptr(ptrs, ptr) {
...
Author
|
Closing in favor of #7327 which is correctly rebased onto rpi-6.18.y. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…_to_host_cb()
event_to_host_cb() uses msg->u.event_to_host.client_component as an index into the instance->component[] array (size VCHIQ_MMAL_MAX_COMPONENTS = 64) without bounds validation. While the kernel generally trusts the hardware it is bound to, a bounds check here hardens the driver against potential firmware bugs that could otherwise cause an uncontrolled out-of-bounds array access and kernel crash.
Add a bounds check on comp_idx before using it as an array index and move the component pointer assignment after the validation. Use pr_err_ratelimited() to avoid log flooding. Note: this file does not currently have access to a struct device, so dev_err() is not available.
Cc: stable@vger.kernel.org
Fixes: b18ee53 ("staging: bcm2835: Break MMAL support out from camera")