0c95c078771f637924fa7ae01b0d90df285dde64 |
|
02-May-2018 |
Ray Essick <essick@google.com> |
Revert "mm-video-v4l2: Protect buffer access and increase input buffer size" This reverts commit 4f368aba8c090006c96ad496558a66d15a63b79d. Reason for revert: regressions at oc-mr1/bullhead and pi/walleye Change-Id: Ie9caad90482698913db06cdb9aeebfd869fe1a6a Bug: 64340487 Bug: 78291359 Bug: 78913375
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
4f368aba8c090006c96ad496558a66d15a63b79d |
|
13-Apr-2018 |
Ray Essick <essick@google.com> |
mm-video-v4l2: Protect buffer access and increase input buffer size Protect buffer access for below scenarios: *Increase the scope of buf_lock in free_buffer to avoid access of freed buffer for both input and output buffers. Also, add check before output buffer access. *Disallow allocate buffer mode after client has called use buffer. Allocate additional 512 bytes of memory for input buffers on top of allocation size as per hardware requirement Author: Santhosh Behara <santhoshbehara@codeaurora.org> Bug: 64340487 Test: PoC before/after Change-Id: Icc65fe43134493fefe6e420ca818f60995084871
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
7c03ed4f9e7ef832adfc34771e27a26aa2da9b2e |
|
19-Oct-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow input usebuffer for secure case am: 7b99376ecf Change-Id: I8104f710d235307138c01dda4c19ad006aa5788b
|
7b99376ecf7a6746e3bcb146975c00fc9ea560ab |
|
17-Sep-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow input usebuffer for secure case In secure mode, input buffer _must_ be allocated by the component to allocate a secure buffer. Client-supplied memory via usebuffer does not qualify as secure-memory and must be rejected. This also avoids accidental heap-overflow while copying bitstream from user-memory to a smaller-sized secure-payload (usually the buffer-header itself) Bug : 30148882 Fixes : Heap Overflow/LPE in MediaServer (libOmxVdec problem #11) CRs-Fixed: 1071731 Change-Id: Ibbde2d6a9c1f30e8482a533cadb13e44d8dcb2c0
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
ee06e61ff49357884de5c6714828c263966895ee |
|
17-Aug-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Disallow changing buffer modes/counts on allocated ports Changing Count, size, usage-mode (metadata/bytebuffer/native-handle) or allocation-mode (allocateBuffer/UseBuffer) of buffers should only be allowed when the port hasn't been allocated yet. Since buffer-modes determine the payload-size in case of meta-buffer-mode, and also determine the memory-base to derive buffer indices from buffer- headers, letting the client change count/size/mode on a pre-allocated port will cause inconsistencies in the size of memory allocated for headers and lead to index overflows. Fix the range checks for the derived buffer-indices to avoid out-of-bounds writes. Also, ensure buffer-mode settings (metadata-mode, native-handle-mode) are intended for the right ports. Bug: 29617572 : Heap Overflow/LPE in MediaServer (libOmxVdec problem #8) Bug: 29982686 : Memory Write/LPE in MediaServer (libOmxVdec problem #10) Change-Id: I619636a48779580c247bffb3752c3e4025b46542
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
97e3ddfad60bf0417cbbc93dda97d2b887589fc0 |
|
25-Apr-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Avoid processing ETBs/FTBs in invalid states (per the spec) ETB/FTB should not be handled in states other than Executing, Paused and Idle. This avoids accessing invalid buffers. Also add a lock to protect the private-buffers from being deleted while accessing from another thread. Bug: 27890802 Security Vulnerability - Heap Use-After-Free and Possible LPE in MediaServer (libOmxVdec problem #6) Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
c9770704a9bb7c26205cf0e5bca05d4397aab1c3 |
|
17-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vidc: fix matching of extension strings Using strncmp with the strlen of source string can result in false positives when it is a substring of the passed string. Eg: strncmp("OMX.extn.x", "OMX.extn.xyz", strlen(OMX.extn.x)) will result in a match. Use strcmp instead. Bug: 27344524 Change-Id: I68839f2bea8b97a31f43885538e9dce51aa8c1b4
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
ff8f9f29b46df8de6dba9bda31eab4beb67146b8 |
|
23-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: deprecate unused config OMX_IndexVendorVideoExtraData This config (used to set header offline) is no longer used. Remove handling this config since it uses non-process-safe ways to pass memory pointers. Fixes: Security Vulnerability - Segfault in MediaServer (libOmxVdec problem #2) Bug: 27475409 Change-Id: I7a535a3da485cbe83cf4605a05f9faf70dcca42f
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
fd65fa891104fd7cedb06a8ba0849934dae63640 |
|
23-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: add safety checks for freeing buffers Allow only up to 64 buffers on input/output port (since the allocation bitmap is only 64-wide). Do not allow changing the actual buffer count while still holding allocation (Client can technically negotiate buffer count on a free/disabled port) Add safety checks to free only as many buffers were allocated. Fixes: Security Vulnerability - Heap Overflow and Possible Local Privilege Escalation in MediaServer (libOmxVdec problem #3) Bug: 27532282 27661749 Change-Id: I06dd680d43feaef3efdc87311e8a6703e234b523
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
af0b35a2e7f4d246242c0f35fcde04858dd6670d |
|
05-Apr-2016 |
Steve Pfetsch <spfetsch@google.com> |
Merge "mm-video-v4l2: vdec: Add range check before native_buffer usage" into nyc-dev
|
00c00c349f132b5bba20e26ed54d01e9be9f87e4 |
|
31-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vdec: Add range check before native_buffer usage Restore missing buffer-index calculation, without which, native-handles were not being saved properly and NULL handles got sent out to gralloc::setMetadata A bad buffer index can cause the OMX component to make an out of bound read/write access on the native_buffer array and cause a crash. Add range check to fix the issue. Bug: 25976027 Change-Id: I684a501a1a71898b5c1c80566125459a5972c959
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
16ee85d1d456a4b694fd32baa5f52341e638b5d8 |
|
30-Mar-2016 |
Praveen Chavan <pchavan@codeaurora.org> |
mm-video-v4l2: vidc: validate omx param/config data Check the sanity of config/param strcuture objects passed to get/set _ config()/parameter() methods. Bug: 27533317 Security Vulnerability in MediaServer omx_vdec::get_config() Can lead to arbitrary write Change-Id: I6c3243afe12055ab94f1a1ecf758c10e88231809
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|
e4010605f233a213cf0d972397bb33c34c364227 |
|
07-Mar-2016 |
Patrick Tjin <pattjin@google.com> |
Initial import of msm8996 media HAL 1) Move existing HAL to msm8974/ 2) Import msm8996 HAL from LA.HB.1.1.2_rb1.12 3) Modify Makefiles to remove kernel dependencies and fix for new directory structure 4) Modify top level makefile for new directory structure Top commits from LA.HB.1.1.2_rb1.12 included in this commit: db7937a mm-video: vidc: memset struct v4l2_format prior to S_FMT d77ab10 Merge "mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress" 8895985 mm-video-v4l2: vidc: vdec: Add property to disable UBWC for OPB 675af75 Merge "mm-video: vidc: Communicate the right colorformat to the driver" dd79df2 Merge "mm-video: vidc: Reliably stop the message thread" c3e8618 Merge "mm-video-v4l2: vidc: venc: Fix B-Frame handling" 755ec08 mm-video-v4l2: vidc: Do not queue output buffer if flush is in progress 3ac8410 mm-video: vidc: Reliably stop the message thread b73dcba Merge "mm-video-v4l2: vidc: venc: Bug fixes for VZIP" 8358109 Merge "mm-video-v4l2: vdec: fix picture type decode mode return status" BUG=27420204 Signed-off-by: Patrick Tjin <pattjin@google.com> Change-Id: I71aa0190e48b332268334677894b0ad7c606296b
/hardware/qcom/media/msm8974/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
|