video: Stack overflow in video_orc_pack_I420
This was reproduced in SabreLite (IMX.6) with kernel 5.2 rc2. It does not reproduce all the time, which made me suspicious that we call pack/unpack ORC accelerators without verifying that the pointer alignment requirement is met or that the stride is large enough for the request operation.
I've seen loads of hack, where we just bump the alignment in buffer allocation, but for memory allocated by the driver, we can't really influence that, hence users having limitation must check that the required alignment is met, and fallback if not.
$ gdb --args gst-launch-1.0 videotestsrc ! v4l2h264enc ! fakesink
GNU gdb (GDB) Fedora 8.3-2.fc30
(gdb) r
Définition du pipeline à PAUSED...
Le pipeline est en phase de PREROLL…
Redistribution de latence…
*** stack smashing detected ***: <unknown> terminated
Thread 2 "videotestsrc0:s" received signal SIGABRT, Aborted.
[Switching to Thread 0xb5f86460 (LWP 941)]
0xb6b93200 in raise () from /lib/libc.so.6
(gdb) bt
#0 0xb6b93200 in raise () at /lib/libc.so.6
#1 0xb6b7e364 in abort () at /lib/libc.so.6
#2 0xb6bcdec8 in __libc_message () at /lib/libc.so.6
#3 0xb6c50f80 in __fortify_fail_abort () at /lib/libc.so.6
#4 0xb6c50f24 in __stack_chk_fail () at /lib/libc.so.6
#5 0xb62ac0b4 in video_orc_pack_I420
(d1=0xb5769000 <error: Cannot access memory at address 0xb5769000>, d2=0xb6cb507c <__libc_argv> "D\364\377\276\006", d3=0x0, s1=0x0, n=-1251996216) at tmp-orc.c:1259
#6 0xb5606a18 in ()
(gdb) p *gst_buffer_get_video_meta (res_buf)
$3 = {
meta = {
flags = (GST_META_FLAG_POOLED | GST_META_FLAG_LOCKED),
info = 0xb560fc08
},
buffer = 0x53c5e8 [GstBuffer],
flags = GST_VIDEO_FRAME_FLAG_NONE,
format = GST_VIDEO_FORMAT_I420,
id = 0,
width = 320,
height = 240,
n_planes = 3,
offset = {0, 76800, 96000, 0},
stride = {320, 160, 160, 0},
map = 0xb6285d78 <default_map>,
unmap = 0xb6285d60 <default_unmap>
}