| 0c95c078771f637924fa7ae01b0d90df285dde64 |
|
02-May-2018 |
Ray Essick <essick@google.com> |
Revert "mm-video-v4l2: Protect buffer access and increase input buffer size"
This reverts commit 4f368aba8c090006c96ad496558a66d15a63b79d.
Reason for revert: regressions at oc-mr1/bullhead and pi/walleye
Change-Id: Ie9caad90482698913db06cdb9aeebfd869fe1a6a
Bug: 64340487
Bug: 78291359
Bug: 78913375
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| 4f368aba8c090006c96ad496558a66d15a63b79d |
|
13-Apr-2018 |
Ray Essick <essick@google.com> |
mm-video-v4l2: Protect buffer access and increase input buffer size
Protect buffer access for below scenarios:
*Increase the scope of buf_lock in free_buffer to avoid access
of freed buffer for both input and output buffers. Also, add check
before output buffer access.
*Disallow allocate buffer mode after client has called use buffer.
Allocate additional 512 bytes of memory for input buffers on top of
allocation size as per hardware requirement
Author: Santhosh Behara <santhoshbehara@codeaurora.org>
Bug: 64340487
Test: PoC before/after
Change-Id: Icc65fe43134493fefe6e420ca818f60995084871
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| 7c03ed4f9e7ef832adfc34771e27a26aa2da9b2e |
|
19-Oct-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow input usebuffer for secure case
am: 7b99376ecf
Change-Id: I8104f710d235307138c01dda4c19ad006aa5788b
|
| 7b99376ecf7a6746e3bcb146975c00fc9ea560ab |
|
17-Sep-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow input usebuffer for secure case
In secure mode, input buffer _must_ be allocated by the component to
allocate a secure buffer.
Client-supplied memory via usebuffer does not qualify as secure-memory
and must be rejected. This also avoids accidental heap-overflow while
copying bitstream from user-memory to a smaller-sized secure-payload
(usually the buffer-header itself)
Bug : 30148882
Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11)
CRs-Fixed: 1071731
Change-Id: Ibbde2d6a9c1f30e8482a533cadb13e44d8dcb2c0
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| ee06e61ff49357884de5c6714828c263966895ee |
|
17-Aug-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports
Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or
allocation-mode (allocateBuffer/UseBuffer) of buffers should only be
allowed when the port hasn't been allocated yet.
Since buffer-modes determine the payload-size in case of meta-buffer-mode,
and also determine the memory-base to derive buffer indices from buffer-
headers, letting the client change count/size/mode on a pre-allocated port
will cause inconsistencies in the size of memory allocated for headers and
lead to index overflows.
Fix the range checks for the derived buffer-indices to avoid out-of-bounds
writes.
Also, ensure buffer-mode settings (metadata-mode, native-handle-mode)
are intended for the right ports.
Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8)
Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10)
Change-Id: I619636a48779580c247bffb3752c3e4025b46542
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| 97e3ddfad60bf0417cbbc93dda97d2b887589fc0 |
|
25-Apr-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Avoid processing ETBs/FTBs in invalid states
(per the spec) ETB/FTB should not be handled in states other than
Executing, Paused and Idle. This avoids accessing invalid buffers.
Also add a lock to protect the private-buffers from being deleted
while accessing from another thread.
Bug: 27890802
Security Vulnerability - Heap Use-After-Free and Possible LPE in
MediaServer (libOmxVdec problem #6)
Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| c9770704a9bb7c26205cf0e5bca05d4397aab1c3 |
|
17-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vidc: fix matching of extension strings
Using strncmp with the strlen of source string can result in
false positives when it is a substring of the passed string.
Eg: strncmp("OMX.extn.x", "OMX.extn.xyz", strlen(OMX.extn.x))
will result in a match.
Use strcmp instead.
Bug: 27344524
Change-Id: I68839f2bea8b97a31f43885538e9dce51aa8c1b4
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| ff8f9f29b46df8de6dba9bda31eab4beb67146b8 |
|
23-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: deprecate unused config OMX_IndexVendorVideoExtraData
This config (used to set header offline) is no longer used.
Remove handling this config since it uses non-process-safe ways to
pass memory pointers.
Fixes: Security Vulnerability - Segfault in MediaServer (libOmxVdec problem #2)
Bug: 27475409
Change-Id: I7a535a3da485cbe83cf4605a05f9faf70dcca42f
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| fd65fa891104fd7cedb06a8ba0849934dae63640 |
|
23-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: add safety checks for freeing buffers
Allow only up to 64 buffers on input/output port (since the
allocation bitmap is only 64-wide).
Do not allow changing the actual buffer count while still
holding allocation (Client can technically negotiate buffer
count on a free/disabled port)
Add safety checks to free only as many buffers were allocated.
Fixes: Security Vulnerability - Heap Overflow and Possible
Local Privilege Escalation in MediaServer (libOmxVdec problem #3)
Bug: 27532282 27661749
Change-Id: I06dd680d43feaef3efdc87311e8a6703e234b523
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| af0b35a2e7f4d246242c0f35fcde04858dd6670d |
|
05-Apr-2016 |
Steve Pfetsch <spfetsch@google.com> |
Merge "mm-video-v4l2: vdec: Add range check before native_buffer usage" into nyc-dev
|
| 00c00c349f132b5bba20e26ed54d01e9be9f87e4 |
|
31-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Add range check before native_buffer usage
Restore missing buffer-index calculation, without which,
native-handles were not being saved properly and NULL handles
got sent out to gralloc::setMetadata
A bad buffer index can cause the OMX component to make an out of
bound read/write access on the native_buffer array and cause a
crash. Add range check to fix the issue.
Bug: 25976027
Change-Id: I684a501a1a71898b5c1c80566125459a5972c959
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| 16ee85d1d456a4b694fd32baa5f52341e638b5d8 |
|
30-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vidc: validate omx param/config data
Check the sanity of config/param strcuture objects
passed to get/set _ config()/parameter() methods.
Bug: 27533317
Security Vulnerability in MediaServer
omx_vdec::get_config() Can lead to arbitrary write
Change-Id: I6c3243afe12055ab94f1a1ecf758c10e88231809
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
| e4010605f233a213cf0d972397bb33c34c364227 |
|
07-Mar-2016 |
Patrick Tjin <pattjin@google.com> |
Initial import of msm8996 media HAL
1) Move existing HAL to msm8974/
2) Import msm8996 HAL from LA.HB.1.1.2_rb1.12
3) Modify Makefiles to remove kernel dependencies and
fix for new directory structure
4) Modify top level makefile for new directory structure
Top commits from LA.HB.1.1.2_rb1.12 included in this commit:
db7937a mm-video: vidc: memset struct v4l2_format prior to S_FMT
d77ab10 Merge "mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress"
8895985 mm-video-v4l2: vidc: vdec: Add property to disable UBWC for OPB
675af75 Merge "mm-video: vidc: Communicate the right colorformat to the driver"
dd79df2 Merge "mm-video: vidc: Reliably stop the message thread"
c3e8618 Merge "mm-video-v4l2: vidc: venc: Fix B-Frame handling"
755ec08 mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress
3ac8410 mm-video: vidc: Reliably stop the message thread
b73dcba Merge "mm-video-v4l2: vidc: venc: Bug fixes for VZIP"
8358109 Merge "mm-video-v4l2: vdec: fix picture type decode mode return status"
BUG=27420204
Signed-off-by: Patrick Tjin <pattjin@google.com>
Change-Id: I71aa0190e48b332268334677894b0ad7c606296b
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|