[PATCH v2 1/4] staging: vc04_services: vchiq-mmal: validate component index in event_to_host_cb()
Dan Carpenter
error27 at gmail.com
Mon Mar 30 02:35:50 PDT 2026
On Sun, Mar 29, 2026 at 01:15:39AM -0600, Sebastian Josue Alba Vives wrote:
> From: Sebastián Alba Vives <sebasjosue84 at gmail.com>
>
> event_to_host_cb() uses msg->u.event_to_host.client_component as an
> index into the instance->component[] array (size VCHIQ_MMAL_MAX_COMPONENTS
> = 64) without bounds validation. While the kernel generally trusts the
> hardware it is bound to, a bounds check here hardens the driver against
> potential firmware bugs that could otherwise cause an uncontrolled
> out-of-bounds array access and kernel crash.
>
> Add a bounds check on comp_idx before using it as an array index and
> move the component pointer assignment after the validation. Use
> pr_err_ratelimited() to avoid log flooding. Note: this file does not
> currently have access to a struct device, so dev_err() is not available.
>
> Cc: stable at vger.kernel.org
> Fixes: b18ee53ad297 ("staging: bcm2835: Break MMAL support out from camera")
This fixes tag is wrong. That patch just moves code around.
I can't apply this patch to linux-next. Is this another out of tree
bug?
regards,
dan carpenter
More information about the linux-arm-kernel
mailing list