Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp460529ima; Sat, 20 Oct 2018 10:56:47 -0700 (PDT) X-Google-Smtp-Source: ACcGV62BwTumPH8oZw9jK3HoysWGJjDuWpHqeI/tuObN00EUYfvh9HBzbEkbgTF02K3dsF9l/XjJ X-Received: by 2002:a62:c60a:: with SMTP id m10-v6mr39672898pfg.15.1540058207196; Sat, 20 Oct 2018 10:56:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540058207; cv=none; d=google.com; s=arc-20160816; b=Vj+PTmUYfjvruxYli4FibzSz4Rrt5EcWggMW+ZYeIkmt9YjDxQXtFex76IDbj31jfk HXl1O2OfOMbtxANLOE/H4FQY1fBjP9kR4jbY/YvYRPjaGydbRQyXO8eYc57MDW8NiIEV ZCG8+76TZTrQNvnzgVBJ1jke4JvDsSLozgIn5tq4XLEe51axDw//dGbZ/3Jlp5I89jZF 20FovMUBGG7RWTJeUcVt7+uNh0AN85XP8iC/foU6pRix5AhcEXzWJBxYnRyDTgTBOU9W MzFNto23wNTLt9MyhYHJ/oRendr08rpnPoeM42lsaX7fjN+iBFxAEGfOsvOlG8HyXIpr 8uCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=f5b20fDa6HGHc9aMvm73NBQ33p9AUdVtX4EScsoJeIc=; b=izFFaZ558vSjYegLhs5WNPrP4wcGB+50ly1dVw+unxFD7VxRY3d0ksqwcaZeVg3bwR eYM7V70zcmTyvAJ0AACWYXS/GmJmk70IFeThaRdJ9bh9JmNpSIvJqwMrdhSawjSwCBUE +w1T/P+HQdAx199mU0aKYssc3obq/kfN5d7P++5GUFrFnpSL4a2JpTiK35igLk5+rzx7 3CXnIIlB3R95cBypaWAXqnflqauy+OliwwhJUcWDXktXYmIm/1SWYN8drlzRUbAmDDl5 Gle41JHSbSYn/96mZAWnnTRQBoPCQ4VGWH80oEq2Dbi5ZpZpKCTFc3AIGNO0M2RzK3GB aJ4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=isKjzhMd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k198-v6si29508889pga.12.2018.10.20.10.56.31; Sat, 20 Oct 2018 10:56:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=isKjzhMd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727718AbeJUCHN (ORCPT + 99 others); Sat, 20 Oct 2018 22:07:13 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:59342 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727585AbeJUCHN (ORCPT ); Sat, 20 Oct 2018 22:07:13 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 7DE0183C for ; Sat, 20 Oct 2018 17:55:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZTNmh_alI5w for ; Sat, 20 Oct 2018 12:55:59 -0500 (CDT) Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 50540840 for ; Sat, 20 Oct 2018 12:55:59 -0500 (CDT) Received: by mail-io1-f69.google.com with SMTP id v12-v6so33851014iob.15 for ; Sat, 20 Oct 2018 10:55:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=f5b20fDa6HGHc9aMvm73NBQ33p9AUdVtX4EScsoJeIc=; b=isKjzhMdypFOYAAbxglH/iuo8xHVD/IZUQELbPjVkaiprAaC8VkcjkRUl8hcXTlI57 KufaH/8QtdR9NMnLivibbQMnshZnCNFFIkF3gCtL4wzvfu/9ZfhDucwfN6Y8ivo9atlv w/jkR6fjKvR4Zz9KHqF9e1bqKvPaSdhQHcpzf6xPkzLXEg/axGK0TWPZDS/dE/4tfTwF y5HuDm1Xvh3wcYHwE8f0JXft9IIqbOzt6t/Mj3oo2bDsXT3YCtDG1yjSNmcE61GDLEOL FVT84qmfEZcben4vxnDmfkBOcWXn9lKCeFjhrQAuu272eueDjj1SGR3mxxxfazslSxG2 +iLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=f5b20fDa6HGHc9aMvm73NBQ33p9AUdVtX4EScsoJeIc=; b=RxA8eW74w7lFlAtoEyjwTjgOaA/fuk7TVLLSue07bM/wWx9btKYTqK/NegoEf+CxRA BAxedhatQpPVMyXhOGiIlkfUyrhSlRbhIXhyRkHIjyluuGkdjgugYP+sXam1t+avPGM8 C0jS8OisW2tboOoNPygwYXdXEPqP+fXg/v1cJKh7mLVS8g+9bwxxsjNvFaC+VhbUWZBU VrAv67MIsjzDQC4TBCSPM8zcT4g8hTFMFAO/F7G43uljlujfkQMMAxh67IsEJK8Hebty T9sy0jxiMwdYvjLvzPUTOVPMbSrqOEtB1PXuMsZ92Y7VJvXFuPAy/z3gKUHdHEqbwEAl b9ow== X-Gm-Message-State: AGRZ1gK+r942hNb+XYkEf5W98XIHoZqp1ipYal/fZrAyzv1pp7qpF1Hd omByUUmAO0cbBVfni48QI7WzDb4XV3H/qpvCxTjdkvAd1XlXjFhG66KkNbW3LxiE37TyAsw43NU Khf9Sm9Y2g9p+jt1Rsf3GLrbxxXeX X-Received: by 2002:a6b:3842:: with SMTP id f63-v6mr5307710ioa.223.1540058158944; Sat, 20 Oct 2018 10:55:58 -0700 (PDT) X-Received: by 2002:a6b:3842:: with SMTP id f63-v6mr5307705ioa.223.1540058158708; Sat, 20 Oct 2018 10:55:58 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id u132-v6sm3602663ita.9.2018.10.20.10.55.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 20 Oct 2018 10:55:57 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Andreas Noever , Michael Jamet , Mika Westerberg , Yehezkel Bernat , linux-kernel@vger.kernel.org (open list) Subject: [PATCH] thunderbolt: Fix a missing-check bug Date: Sat, 20 Oct 2018 12:55:51 -0500 Message-Id: <1540058151-17116-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In tb_ctl_rx_callback(), the checksum of the received control packet is calculated on 'pkg->buffer' through tb_crc() and saved to 'crc32', Then, 'crc32' is compared with the received checksum to confirm the integrity of the received packet. If the checksum does not match, the packet will be dropped. In the following execution, 'pkg->buffer' will be copied through req->copy() and processed if there is an active request and the packet is what is expected. The problem here is that the above checking process is performed directly on the buffer 'pkg->buffer', which is actually a DMA region. Given that the DMA region can also be accessed directly by a device at any time, it is possible that a malicious device controlled by an attacker can race to modify the content in 'pkg->buffer' after the checksum checking but before req->copy(). By doing so, the attacker can inject malicious data, which can cause undefined behavior of the kernel and introduce potential security risk. This patch allocates a new buffer 'buf' to hold the data in 'pkg->buffer'. By performing the checking and copying on 'buf', rather than 'pkg->buffer', the above issue can be avoided. Signed-off-by: Wenwen Wang --- drivers/thunderbolt/ctl.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/thunderbolt/ctl.c b/drivers/thunderbolt/ctl.c index 37a7f4c..9e40572 100644 --- a/drivers/thunderbolt/ctl.c +++ b/drivers/thunderbolt/ctl.c @@ -409,6 +409,8 @@ static void tb_ctl_rx_callback(struct tb_ring *ring, struct ring_frame *frame, struct ctl_pkg *pkg = container_of(frame, typeof(*pkg), frame); struct tb_cfg_request *req; __be32 crc32; + void *pkg_buf = pkg->buffer; + void *buf = NULL; if (canceled) return; /* @@ -422,6 +424,13 @@ static void tb_ctl_rx_callback(struct tb_ring *ring, struct ring_frame *frame, goto rx; } + buf = kzalloc(frame->size, GFP_KERNEL); + if (!buf) + goto rx; + + memcpy(buf, pkg->buffer, frame->size); + pkg->buffer = buf; + frame->size -= 4; /* remove checksum */ crc32 = tb_crc(pkg->buffer, frame->size); be32_to_cpu_array(pkg->buffer, pkg->buffer, frame->size / 4); @@ -476,6 +485,10 @@ static void tb_ctl_rx_callback(struct tb_ring *ring, struct ring_frame *frame, } rx: + if (buf) { + pkg->buffer = pkg_buf; + kfree(buf); + } tb_ctl_rx_submit(pkg); } -- 2.7.4