staging: vc04_services: vchiq-mmal: validate component index in event_to_host_cb()#7327
Merged
pelwell merged 1 commit intoraspberrypi:rpi-6.18.yfrom Apr 21, 2026
Merged
Conversation
…_to_host_cb() event_to_host_cb() uses msg->u.event_to_host.client_component as an index into the instance->component[] array (size VCHIQ_MMAL_MAX_COMPONENTS = 64) without bounds validation. While the kernel generally trusts the hardware it is bound to, a bounds check here hardens the driver against potential firmware bugs that could otherwise cause an uncontrolled out-of-bounds array access and kernel crash. Add a bounds check on comp_idx before using it as an array index and move the component pointer assignment after the validation. Use pr_err_ratelimited() to avoid log flooding. Note: this file does not currently have access to a struct device, so dev_err() is not available. Cc: stable@vger.kernel.org Fixes: b18ee53 ("staging: bcm2835: Break MMAL support out from camera") Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
This was referenced Apr 21, 2026
Collaborator
|
Okay by me. @6by9 ? |
Contributor
|
Looks good to me too. |
popcornmix
approved these changes
Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rebased correctly onto rpi-6.18.y. Replaces #7326.
event_to_host_cb() uses msg->u.event_to_host.client_component as an
index into instance->component[] (size VCHIQ_MMAL_MAX_COMPONENTS = 64)
without bounds validation. Add a bounds check to harden against
potential firmware bugs.