Tasklet must be stopped after stopping HW. In current implementation
we are stopping same tasklet both in CSID and IFE/TFE stop call. This
change adds to stop both csid and ife/tfe HW first and then stopping
tasklet.
CRs-Fixed: 3855774
Change-Id: I93de831c45d2f61142db300140e36c17e0dd9b31
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
This change helps to get valid csid id incase
of any IFE is disabled and accessing csid hw caps
with the help of csid id.
CRs-Fixed: 3863667
Change-Id: I57ff8acaaf15b347a69883a54937376843fcd848
Signed-off-by: Gaurav Jindal <quic_gjindal@quicinc.com>
Signed-off-by: Karthik Dillibabu <quic_kard@quicinc.com>
Previously, context user dumps lacked sufficient checks, risking
buffer overflows. Added length checks for dump headers to ensure
enough buffer space before copying header and exact data from
all kinds of request lists.
CRs-Fixed: 3846871
Change-Id: I02d01af54c9985e5642c31b979c0590494fd5775
Signed-off-by: Atiya Kailany <quic_akailany@quicinc.com>
Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
No check for cpu buffer offset, which may lead to out of cpu buffer
map. No check for cmd buffer index, which may lead to out of bound
or negative index. Adding check for cpu buffer map offset and
adding check for cmd buffer index.
CRs-Fixed: 3864084
Change-Id: I39494b0a9f323cb5569d37a0c033b2eaf8fbd32c
Signed-off-by: jinguiw <quic_jinguiw@quicinc.com>
sizeof(struct cam_isp_context_dump_header) only accounted for once
instead of num_entries times for minimum offset needed when dumping
event record of isp context.
CRs-Fixed: 3865205
Change-Id: I6db25ba2dc4022c2582493aadc4875f9bf9ddb62
Signed-off-by: Li Sha Lim <quic_lishlim@quicinc.com>
There are only limitations for CAM_BUF_IN and CAM_BUF_OUT in
config validation, but there will be CAM_BUF_IN_OUT type also.
In process io config, both CAM_BUF_OUT and CAM_BUF_IN_OUT types
are in out_map_entries. No limitation for CAM_BUF_IN_OUT will
lead to out of bound for out_map_entries. This change adds check
for num of io config need in out_map_entries to avoid
out of bound risk.
CRs-Fixed: 3857308
Change-Id: I69163a4264d226d617cbe4f37ba1deb4e6434e31
Signed-off-by: jinguiw <quic_jinguiw@quicinc.com>
This change adds extra checking for frame_info_idx to
avoid accessing invalid items in the array.
CRs-Fixed: 3863925
Change-Id: I9f2350aa7d3da35108d26e50ed5198255fc4237a
Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
Each call to cam_common_user_dump_helper consumes
sizeof(struct cam_isp_context_dump_header) in memory.
Currently, this check is not accounted before each call
to common user dump is made in this function. This change fixes it.
CRs-Fixed: 3864098
Change-Id: I66cab5055b085660fb15ff25707fa4ae97403740
Signed-off-by: Li Sha Lim <quic_lishlim@quicinc.com>
The cam_mem_cpu_put_buf function called immediately after
cam_jpeg_add_command_buffers can cause UAF. To avoid this,
get the in_out param reference in jpeg enc bottom half
and update the out size param.
CRs-Fixed: 3848801
Change-Id: Ib484ad388f0dd356a481a7fede40b9898f713c63
Signed-off-by: Nirmal Abraham <quic_c_nabrah@quicinc.com>
Add check for upperbound for num_dev in case of num_dev
assigned less than max_tfe.
CRs-Fixed: 3868093
Change-Id: I7d13467a58617b431d5fbd44a2682fe45d8a23bf
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
Currently, in ife hw manager we are checking the validity of ife out
resource id against the max supported resource id from the header.
The bound check is incorrect as it allows resource id equal to the
max value. Fix this to avoid OOB access.
CRs-Fixed: 3865200
Change-Id: Ib51190a0b089dd8379e1442546e852a81bdb7285
Signed-off-by: Mukund Madhusudan Atre <quic_matre@quicinc.com>
Un-clocked access of registers during dumping the registers while
handling the start failure.
Reason for the issue is that handle regdump trying to read the hw
registers when HW clocks are disabled.
This commits adds a check to validate if the hw is initialized before
accessing the registers.
CRs-Fixed: 3865839
Change-Id: I46878fe1b5442689f8fd909b6bfc9fda0686dac9
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
Add check for upperbound for num devices obtained from query cap v2
preventing integer overflow.
CRs-Fixed: 3864081
Change-Id: I899c794bad2278f39dbea3f80ca701e54cf8d1a9
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
This change fixes a potential OOB access issue due to
culprit checking.
CRs-Fixed: 3851339
Change-Id: I5a8b8977f815376eeb41a4a227df6e307c7bd99d
Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
Current condition to verify that num_links lies in range, is always false.
This change adds fix to condition, while checking num_links range to avoid OOB acccess.
CRs-Fixed: 3830586
Change-Id: I6e69cd373c6d15d2133fc6a286b4dde23234a6b3
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
IO config can be modified due to access to shared memory.
This change scopes the data locally so as to avoid
vulnerability of count being modified by external
means while executing due to being in shared memory.
CRs-Fixed: 3777635
Change-Id: Ia5dd9138dcf8449e2d800aca9ffed73d9c4ba3ea
Signed-off-by: Akash Puliyadi Jegannathan <quic_apuliyad@quicinc.com>
I2C cmd can be modified due to access to shared memory.
This change scopes the data locally so as to avoid
vulnerability of count being modified by external
means while executing due to being in shared memory.
CRs-Fixed: 3777534
Change-Id: I4637f49db67d1bd1d5ca418435e3627b5652f604
Signed-off-by: Akash Puliyadi Jegannathan <quic_apuliyad@quicinc.com>
addr variable to have address bound check, due to that increamenting
of that variable can go corrupt other memory address which could lead to
our of bound access. This change will add extra address change before
access addr variable.
CRs-Fixed: 3802568
Change-Id: I0a2804403dc92fa005f8dda5263242eeb01f4765
Signed-off-by: Soumen Ghosh <quic_soumeng@quicinc.com>
Update and refactor SCM calling procedure in accordance to
CSF2.5 framework for supported targets.
isolate domain_id changes to bypass if only csf2.5 supported.
CRs-Fixed: 3806801
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
Change-Id: Idf8ff9716d1e47fb2cea8ea8a34ae3555b29855e
This change fixes OOB access by dynamically allocating memory
for defer bufdone index array and ensuring that allocation
happens after acquire is successful.
CRs-Fixed: 3815399
Change-Id: Icdf5417a74e940ed8ab9f28ac9e0ae22c7bd3c35
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
This change fixes OOB access by dynamically allocating memory
for defer bufdone index array and ensuring that allocation
happens after acquire is successful.
CRs-Fixed: 3815399
Change-Id: Icdf5417a74e940ed8ab9f28ac9e0ae22c7bd3c35
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
