Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1677014imm; Thu, 18 Oct 2018 02:14:06 -0700 (PDT) X-Google-Smtp-Source: ACcGV60cNGXXKYboGQoCm8bExAf+dkF4XNdN1wBVdiDlldqQmle6VKtubO8maXd9nMNKGHHVqEcR X-Received: by 2002:a17:902:8648:: with SMTP id y8-v6mr29773005plt.335.1539854046060; Thu, 18 Oct 2018 02:14:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539854046; cv=none; d=google.com; s=arc-20160816; b=ekOS1+5GuCvyekJSwcxwlE29iLb2W7l/J1oZ5KOmGh4Q1D/FJSrDgLyznE7E1d6fqu Ufe12BcLwUZnVIwUjLIQbjPHethLdVJrdEgHyETlvL/1K3f1hAAFGwqGAx6Vwjex9sLO dPEbFBTXfO0WqQToK6SoeU3+YeY1eJLKE9TeEIkeoT/OStJg+iIPP/tWDN6d3i9RRmqu JmQMiYPII26YBptrJ1GJPAsIV5PhC+PIlHsWqqwXj4EFASqPUgdrCSTXI2WSUYSyHjDF DPcdepU6PL84Qp6SNGDHp2Ydk87mVwiffHzebkQsjpU4+wAKYdnai6Lf9fiS2gYo3wvr kpxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organization:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=eHvtk7UvViOg6aVvsxQ4k7tyie1TJ2oiHDGCw875WQ8=; b=XDPSpflDvU4IeW1RlapVi4uwmlx3ylQK2TeeQQo/+VvBBOFbaApAoWylHQ697Y+wwj AtldzzoKQPFgqfBCCP+VTeJLdiDcR7U8kYFfoLXg0+Oa67MdA7posz5blq7gjQopKYjY B8NUJZd3pjcA7gtVwPVcJ77ofQwOfVrkEWCKMvvMzs6SJYUh8DYILufYB3Bb+YqDCVvw x0kYfotYbhyfwuNtEX/yEtH2xzrkjFz4o3SFpPUdTn63XFo0q5alz3Q0FKcPzWrQtGi2 GIik0nzhIWdXRPsH6tC5wbyrsHehVnfdRLzQN3popJyIFIwFg/ipoXaeQ07FagteI/fQ v0dA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b65-v6si21586487pfe.265.2018.10.18.02.13.51; Thu, 18 Oct 2018 02:14:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727969AbeJRRN2 (ORCPT + 99 others); Thu, 18 Oct 2018 13:13:28 -0400 Received: from mga05.intel.com ([192.55.52.43]:37391 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727363AbeJRRN1 (ORCPT ); Thu, 18 Oct 2018 13:13:27 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Oct 2018 02:13:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,395,1534834800"; d="scan'208";a="78951352" Received: from lahna.fi.intel.com (HELO lahna) ([10.237.72.157]) by fmsmga007.fm.intel.com with SMTP; 18 Oct 2018 02:13:20 -0700 Received: by lahna (sSMTP sendmail emulation); Thu, 18 Oct 2018 12:13:19 +0300 Date: Thu, 18 Oct 2018 12:13:19 +0300 From: Mika Westerberg To: Wenwen Wang Cc: Kangjie Lu , Andreas Noever , Michael Jamet , Yehezkel Bernat , open list Subject: Re: [PATCH] thunderbolt: Fix a missing-check bug Message-ID: <20181018091319.GT2302@lahna.fi.intel.com> References: <1539784829-1159-1-git-send-email-wang6495@umn.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1539784829-1159-1-git-send-email-wang6495@umn.edu> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Wenwen, On Wed, Oct 17, 2018 at 09:00:29AM -0500, Wenwen Wang wrote: > In tb_cfg_copy(), the header of the received control package, which is in > the buffer 'pkg->buffer', is firstly parsed through parse_header() to make > sure the header is in the expected format. In parse_header(), the header is > actually checked by invoking check_header(), which checks the 'unknown' > field of the header and the response route acquired through > 'tb_cfg_get_route(header)'. If there is no error in this checking process, > the package, including the header, is then copied to 'req->response' in > tb_cfg_copy() through memcpy() and the parsing result is saved to > 'req->result'. > > The problem here is that the whole parsing and checking process is > conducted directly on the buffer 'pkg->buffer', which is actually a DMA > region and allocated through dma_pool_alloc() in tb_ctl_pkg_alloc(). Given > that the DMA region can also be accessed directly by a device at any time, > it is possible that a malicious device can race to modify the package data > after the parsing and checking process but before memcpy() is invoked in > tb_cfg_copy(). Through this way, the attacker can bypass the parsing and > checking process and inject malicious data. This can potentially cause > undefined behavior of the kernel and introduce unexpected security risk. Here the device doing DMA is the Thunderbolt host controller which is soldered on the motherboard (not anything connected via the TBT ports). In addition the buffers we are dealing here are already marked ready by the host controller hardware so it is not expected to touch them anymore (if it did, then it would be a quite nasty bug). What kind of use-case you had in mind that could possibly inject malicious data to these buffers?