Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp1964011ima; Mon, 22 Oct 2018 01:34:18 -0700 (PDT) X-Google-Smtp-Source: AJdET5ekS5ik0DBFJ+LpQF2Gq4qvGWiDVPMz6ro1Re9xRd96+acvgDc4/J3QXU698ySedKOu5Z3j X-Received: by 2002:a63:b51e:: with SMTP id y30-v6mr3195608pge.420.1540197257996; Mon, 22 Oct 2018 01:34:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540197257; cv=none; d=google.com; s=arc-20160816; b=EaNytYml6vK9ac8TV0Di9pDr1OtPi76Xb+CWt/0Wk1bRDf9m8VL9id4xpLxaKaTwl6 hdzylBV9BwlVjer//wOLXDhwNHzAvZ5umW5YI4bx2dVMFY05W5VED9m3lHFzfdzgFvOu Et54+XzQ8fSlK/3TVaV2o4HyqGC2TETU/BIsfPBgUVfFbRY7GGfb96aK2Av621QThF0N MJl7mjje/2MGoUIa4EEFwAp2qoI9v2NzVF07Rj7lHo6V4PAFwSCEsk5nm7YTV0QaF6xe LvvTHSjfD6kptX+AgQaGz7N5kbBT2qze09wgo01AMIR9U/tfuraZSvZbHy+WTPktmAaq VR5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organization:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=5dmiksB5y98noM3XGe0nK7HMNFSfzdeHFedlFgFWmMg=; b=MEdIQguq0LE+mPEme424z7wAFDuw9vwDswMybFirhGts20sLkg39UPgJm7kHgdUuY4 yKukg5fr2ilZNevIsmI7tILcFYeBrDneM8zMX3G0ViDUzEMy4I9wb8FRckmfYlDKsMMN NvO7qGOmLxLieVU6E7FRuk+mP2/CTf7rZmbX1H7+ThTV/sWyviJOq+HHYzWvm+aDV22i vOPKXfPx4NIrSE1UmBfZ2qeDF7PD8P1lLxftTMQ1Mzw6pz72T8XrS1w0PysVRGM87Zsa S0bgECktebbG1aUwtLtYD41nO42egmBGBgP+ywyuqNm1CjEQ/bmfPz5bJRWVipaYypBF fNiA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l14-v6si33417774pgi.34.2018.10.22.01.34.02; Mon, 22 Oct 2018 01:34:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727748AbeJVQWT (ORCPT + 99 others); Mon, 22 Oct 2018 12:22:19 -0400 Received: from mga18.intel.com ([134.134.136.126]:46107 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727523AbeJVQWT (ORCPT ); Mon, 22 Oct 2018 12:22:19 -0400 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Oct 2018 01:04:52 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,411,1534834800"; d="scan'208";a="267697003" Received: from lahna.fi.intel.com (HELO lahna) ([10.237.72.157]) by orsmga005.jf.intel.com with SMTP; 22 Oct 2018 01:04:50 -0700 Received: by lahna (sSMTP sendmail emulation); Mon, 22 Oct 2018 11:04:49 +0300 Date: Mon, 22 Oct 2018 11:04:49 +0300 From: Mika Westerberg To: Wenwen Wang Cc: Kangjie Lu , Andreas Noever , Michael Jamet , Yehezkel Bernat , open list Subject: Re: [PATCH] thunderbolt: Fix a missing-check bug Message-ID: <20181022080449.GK2302@lahna.fi.intel.com> References: <1540058151-17116-1-git-send-email-wang6495@umn.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1540058151-17116-1-git-send-email-wang6495@umn.edu> Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Sat, Oct 20, 2018 at 12:55:51PM -0500, Wenwen Wang wrote: > In tb_ctl_rx_callback(), the checksum of the received control packet is > calculated on 'pkg->buffer' through tb_crc() and saved to 'crc32', Then, > 'crc32' is compared with the received checksum to confirm the integrity of > the received packet. If the checksum does not match, the packet will be > dropped. In the following execution, 'pkg->buffer' will be copied through > req->copy() and processed if there is an active request and the packet is > what is expected. > > The problem here is that the above checking process is performed directly > on the buffer 'pkg->buffer', which is actually a DMA region. Given that the > DMA region can also be accessed directly by a device at any time, it is > possible that a malicious device controlled by an attacker can race to > modify the content in 'pkg->buffer' after the checksum checking but before > req->copy(). By doing so, the attacker can inject malicious data, which can > cause undefined behavior of the kernel and introduce potential security > risk. > > This patch allocates a new buffer 'buf' to hold the data in 'pkg->buffer'. > By performing the checking and copying on 'buf', rather than 'pkg->buffer', > the above issue can be avoided. Here same comment applies than to the previous one - this is something that requires the attacker to have physical access to the system and requires him to either replace the firmware or the hardware itself with a malicious one and in that case protection like this here does not actually help because they can just overwrite it directly. BTW, just in case you send multiple patches to other subsystems as well it is good to have $subject contain summary of the fix in a way that one can distinguish between them. For example you sent 4 patches with all having: thunderbolt: Fix a missing-check bug in the $subject. So for example I originally thought that you sent the same patch several times :)