[PATCH v2 0/3] media: rkvdec: hevc: bound EXT SPS RPS control counts

public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed

From: Michael Bommarito <michael.bommarito@gmail•com>
To: Detlev Casanova <detlev.casanova@collabora•com>,
	Ezequiel Garcia <ezequiel@vanguardiasur•com.ar>,
	Mauro Carvalho Chehab <mchehab@kernel•org>
Cc: Hans Verkuil <hverkuil@kernel•org>,
	Nicolas Dufresne <nicolas.dufresne@collabora•com>,
	Heiko Stuebner <heiko@sntech•de>,
	linux-media@vger•kernel.org, linux-rockchip@lists•infradead.org,
	linux-arm-kernel@lists•infradead.org,
	linux-kernel@vger•kernel.org, stable@vger•kernel.org
Subject: [PATCH v2 0/3] media: rkvdec: hevc: bound EXT SPS RPS control counts
Date: Wed, 27 May 2026 15:47:34 -0400	[thread overview]
Message-ID: <20260527194737.1999409-1-michael.bommarito@gmail.com> (raw)
In-Reply-To: <20260513181922.2075438-1-michael.bommarito@gmail.com>

A userspace V4L2 client that can open the Rockchip RKVDEC m2m decoder
node can submit HEVC EXT SPS RPS controls whose spec-derived count
fields exceed the driver's fixed hardware descriptor tables and
temporary helper arrays. KASAN under a KUnit harness wrapping the real
rkvdec_hevc_assemble_hw_rps() helper confirms slab-out-of-bounds writes
on num_short_term_ref_pic_sets > 64, num_long_term_ref_pics_sps > 32,
num_negative/positive_pics > 16, and an OOB read via u8 ref_rps_idx
underflow when delta_idx_minus1 + 1 > idx.

v2 splits the single validation function from v1 into three layers at
the appropriate level, per Detlev's review:

  1/3  Tighten .cfg.dims on EXT_SPS_ST_RPS (65 -> 64) and
       EXT_SPS_LT_RPS (65 -> 32) to match the HEVC spec limits and
       let the V4L2 control framework reject oversized payloads.

  2/3  Add SPS ST/LT count validation plus
       num_negative_pics / num_positive_pics validation in
       v4l2-ctrls-core.c so every consumer driver is protected.

  3/3  Guard the delta_idx_minus1 underflow in
       st_ref_pic_set_prediction() in the rkvdec construction code.

Cc: stable@vger•kernel.org

Changes in v2:
- Split the monolithic rkvdec-hevc-common.c validation function into
  dims, v4l2-core, and construction-code layers as Detlev suggested.
- Drop the rkvdec-local #defines and pr_err_ratelimited; the V4L2
  framework now handles the bulk of the rejection, including the SPS
  count fields that drive the rkvdec loops.

Michael Bommarito (3):
  media: rkvdec: hevc: tighten EXT SPS RPS control dimensions
  media: v4l2-ctrls: validate HEVC EXT SPS RPS counts
  media: rkvdec: hevc: guard INTER_REF_PIC_SET_PRED index underflow

 .../platform/rockchip/rkvdec/rkvdec-hevc-common.c |  3 +++
 drivers/media/platform/rockchip/rkvdec/rkvdec.c   |  4 ++--
 drivers/media/v4l2-core/v4l2-ctrls-core.c         | 15 +++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)


base-commit: 7fd2df204f342fc17d1a0bfcd474b24232fb0f32
--
2.53.0

next prev parent reply	other threads:[~2026-05-27 19:48 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-13 18:19 [PATCH] media: rkvdec: hevc: cap EXT SPS RPS control counts before descriptor assembly Michael Bommarito
2026-05-19 13:04 ` Detlev Casanova
2026-05-21  0:57   ` Michael Bommarito
2026-05-22 13:06     ` Detlev Casanova
2026-05-27 19:47 ` Michael Bommarito [this message]
2026-05-27 19:47   ` [PATCH v2 1/3] media: rkvdec: hevc: tighten EXT SPS RPS control dimensions Michael Bommarito
2026-05-27 19:47   ` [PATCH v2 2/3] media: v4l2-ctrls: validate HEVC EXT SPS RPS counts Michael Bommarito
2026-05-27 19:47   ` [PATCH v2 3/3] media: rkvdec: hevc: guard INTER_REF_PIC_SET_PRED index underflow Michael Bommarito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260527194737.1999409-1-michael.bommarito@gmail.com \
    --to=michael.bommarito@gmail$(echo .)com \
    --cc=detlev.casanova@collabora$(echo .)com \
    --cc=ezequiel@vanguardiasur$(echo .)com.ar \
    --cc=heiko@sntech$(echo .)de \
    --cc=hverkuil@kernel$(echo .)org \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=linux-media@vger$(echo .)kernel.org \
    --cc=linux-rockchip@lists$(echo .)infradead.org \
    --cc=mchehab@kernel$(echo .)org \
    --cc=nicolas.dufresne@collabora$(echo .)com \
    --cc=stable@vger$(echo .)kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox