Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp540916ima; Sat, 20 Oct 2018 12:49:02 -0700 (PDT) X-Google-Smtp-Source: ACcGV63F8V3HBHNYGHmo0+Tm44iA522DT94zvoHDdHmDXMYwepf9Nj2K0wbDtZf8WD4ppvA/kcPw X-Received: by 2002:a17:902:e088:: with SMTP id cb8-v6mr39175121plb.31.1540064942005; Sat, 20 Oct 2018 12:49:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540064941; cv=none; d=google.com; s=arc-20160816; b=koYeTupcVADzRKDOKfOVTdF5CKAdACPKkWoWg2Jx6V5Wi2qkCVJQioQALZZs//tbER W5ZJSgQcE0QKMQafHDIlaOawfUz964xXSRlzGht+uICpywnnI2VmyUiOWIcNy/eC967l 7H+NSadGHl+JO95q2axcxCxBQA8s43gfmIB3hHimAtpltq4ZG/hQEQ5y+onqfuXUiNM7 ulNDQqt7bvds8PSmHA6G1KHsJgn/SFB5+JdQlJgbxfeZp+jdV08peBpqrf2p//b/K2SV KmgtT31t2eptvU8h/emuX305J7boBWxRf9qQaMLIJ9jA/6KAa8GBL+0bshhDkauz2hGs yZrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=4OD00mFOgXS33l3L33RU+jk5Bk+72Krd0v5DrofElt0=; b=vY3vdU2rWa8MQBPrde5OEsOjgjaFetX9+2tOZdqU1NNLD0sXn6DfUDSzcJqkxziW3V M/CL4Awh3/bPQP+Uonpg9K87aH371kA5YKS+T6pt5A9Lg/I3GmlqjLLDHerRLJVpjyxL lesSaQffF24KdSzT86uVjV6Vxm9wTMP63YaTPCuYfDQAtwrBhzHPFp5S/W4jAfUXHCBT ZYlLNt/DfUpnVfuye+wrNrc1x1HVaNoCffnNHY6M8xXXU39Tb8ew4MK6KnYgA3bSINQ+ JGEXbaEmiq4tYVHaERa2VlBAB0D747w8IiJIntJ1PE3oG3/rDRQjIrpXaW+G0TSSlrkm 9ixw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=DTuoUL2J; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x5-v6si27986156pgk.86.2018.10.20.12.48.31; Sat, 20 Oct 2018 12:49:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=DTuoUL2J; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727751AbeJUD7a (ORCPT + 99 others); Sat, 20 Oct 2018 23:59:30 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:54338 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727050AbeJUD73 (ORCPT ); Sat, 20 Oct 2018 23:59:29 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id A8C38B74 for ; Sat, 20 Oct 2018 19:47:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wU3ShUuVsI_j for ; Sat, 20 Oct 2018 14:47:57 -0500 (CDT) Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 73B6DB73 for ; Sat, 20 Oct 2018 14:47:57 -0500 (CDT) Received: by mail-io1-f72.google.com with SMTP id n10-v6so23006136iog.5 for ; Sat, 20 Oct 2018 12:47:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=4OD00mFOgXS33l3L33RU+jk5Bk+72Krd0v5DrofElt0=; b=DTuoUL2JMX3BFVigadGPw+ukEcJ0rSYDuOOqIfA4JjEwTUDS4+kS4RYUeUfoEzXssN Zy3E/ZMPpRK79Cqzi+W8+IqndwFF9MkpmKivhgEqBWt6MG2FgcEXB9++hdLO/Bxlw6u6 mj+0SofxAbPtb+WAAQXWrN/URyY7yqZyiVum2HG20gHUW6HupMFsO2TMWfwp7bnblnqv 9lMsphfu/9UGOHM3Y8Tk+aOkhYtu+BatjVvcxDoaSbDUk9fECdefE2ysk5ZcZ4xAL91y h68M8LIDBuFEI3FPp2k/Zv52Az5tInACRnCGpDheMuuPFXk+YROeuE+fKCQGVFUtySaC 823w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=4OD00mFOgXS33l3L33RU+jk5Bk+72Krd0v5DrofElt0=; b=DRPFeRMCbBM2t1Nv7BbyygeztMQr/RBsBA14aS8SETHBeekFOwtlCKsRFUEdUopPZo LFoldNISvHrzC7/3OmfnfIfJ0XYYk2BYWQX4dqXX6sCp6pg1mf46VQjwGjK9wMwKvBDS naCVjEtsPrfjHrRMgNi+uB+/8vEiPtm8iSH5OqTBHHlDpDiyBLE4YLu/vcO5RHmZ3ODD 9C7227ic/GdvwkqNqeJH0Qz9EarytuTZ5YWCMuU9PTXNZXpUUExQZHA1LH+C5bB8aG+6 A+VbELFgckEH0pWdQxKJMu6eGZ4nZsNDoqRMcbFdgrX46a/yizTAPEnpl7J4d9Rn0/7d 5dkg== X-Gm-Message-State: AGRZ1gJNIdIrwlhf/TsYiDbkD9HNuWVQm82At3Z3iApFVPhgs4jx39kj 47TkXE3SQ49rMpjH5KBXJHyZDy7/eeHl+AoeoQ5D/IM75PkO/5YzszJ2LU4/Ts9sNog+QWRceRS J3jIKLoiqqRFycOSSRnYrzchsrRpm X-Received: by 2002:a6b:8f49:: with SMTP id r70-v6mr3081341iod.212.1540064877121; Sat, 20 Oct 2018 12:47:57 -0700 (PDT) X-Received: by 2002:a6b:8f49:: with SMTP id r70-v6mr3081332iod.212.1540064876905; Sat, 20 Oct 2018 12:47:56 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id r20-v6sm9271841ioj.17.2018.10.20.12.47.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 20 Oct 2018 12:47:55 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Andreas Noever , Michael Jamet , Mika Westerberg , Yehezkel Bernat , linux-kernel@vger.kernel.org (open list) Subject: [PATCH] thunderbolt: fix a missing-check bug Date: Sat, 20 Oct 2018 14:47:49 -0500 Message-Id: <1540064869-17849-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In ring_work(), the first while loop is used to collect all completed frames from the ring buffer. In each iteration of this loop, the flag of the frame, i.e., 'ring->descriptors[ring->tail].flags' is firstly check to see whether the frame is completed. If yes, the descriptor of the frame, including the flag, is then copied. It is worth noting that the descriptor is actually in a DMA region, which is allocated through dma_alloc_coherent() in tb_ring_alloc(). Given that the device can also access the DMA region, a malicious device controlled by an attacker can race to modify the flag of the frame after the check but before the copy. By doing so, the attacker can bypass the check and supply uncompleted frame, which can cause undefined behavior of the kernel and introduce potential security risk. This patch firstly copies the flag into a local variable 'desc_flags' and then performs the check and copy using 'desc_flags'. Through this way, the above issue can be avoided. Signed-off-by: Wenwen Wang --- drivers/thunderbolt/nhi.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c index 5cd6bdf..22bd6cf 100644 --- a/drivers/thunderbolt/nhi.c +++ b/drivers/thunderbolt/nhi.c @@ -215,6 +215,7 @@ static void ring_work(struct work_struct *work) struct ring_frame *frame; bool canceled = false; unsigned long flags; + enum ring_desc_flags desc_flags; LIST_HEAD(done); spin_lock_irqsave(&ring->lock, flags); @@ -228,8 +229,8 @@ static void ring_work(struct work_struct *work) } while (!ring_empty(ring)) { - if (!(ring->descriptors[ring->tail].flags - & RING_DESC_COMPLETED)) + desc_flags = ring->descriptors[ring->tail].flags; + if (!(desc_flags & RING_DESC_COMPLETED)) break; frame = list_first_entry(&ring->in_flight, typeof(*frame), list); @@ -238,7 +239,7 @@ static void ring_work(struct work_struct *work) frame->size = ring->descriptors[ring->tail].length; frame->eof = ring->descriptors[ring->tail].eof; frame->sof = ring->descriptors[ring->tail].sof; - frame->flags = ring->descriptors[ring->tail].flags; + frame->flags = desc_flags; } ring->tail = (ring->tail + 1) % ring->size; } -- 2.7.4