Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp3746969imd; Mon, 29 Oct 2018 11:42:31 -0700 (PDT) X-Google-Smtp-Source: AJdET5fRieh/bzNdDC8+PgRFcLlys9K9snQr+DGNHShqR2cGf/TGDXYUJ79ay9VNm6BR2i9b8GTW X-Received: by 2002:a17:902:4303:: with SMTP id i3-v6mr15238345pld.204.1540838551604; Mon, 29 Oct 2018 11:42:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540838551; cv=none; d=google.com; s=arc-20160816; b=UTmu8eshjkxDBJglTs+KxN7HQ3vwERfTsZuSgId1cAA2tKLN6YOQhuDXU0Z4yHTGnU VWQ+1OSjwW58Bpp58Cnq/VnoPSbNDm4tMMG7gCDP5GiFc5GMoxdlgwB5drhGa5X/bTTo okRrOoU3ogMUQOWNjUfIJnCSgX2rTz37372BKa1DtoME10JVv5ytF18CYjH2BIfiTTRW V/s3SYFwltOxJH0Ptdf5TE40rPooAMmlkGb8H8YTm1221uNTpkQ3QQoWP7nW5v0TcB5F Jehj5W4boP3M9K1lCQWgfEEAaTolszyhHWs63J868y/7NhhS7o8ohrtfd9nFRGEWqqua 78sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/dVFNfc9jPBrgLfAJEqVGPiBPdF6wBcQK0qSucSSZUo=; b=TzqsBwIm9NWkiLRIT/YPA7p2yo4rkLjhQsGZIlmOjwXJOEOnC3tqNamHvVi8wHD2wo 4R0/0kUd40+8f1ozIrzgTf1UygQDIEJSKkjv004O3zslVxtKepl6keXY2in3o6wgdd9b ps7Ku3UYitRJMM1UZQwtT7bTpwpZN/ZdzuG3kslr7bXDr0lHjgV2zjqu178CARVfcKfX w9IkpO4MLWR+HY6I2eOoE6+RKWh1t2iujXZtGR36IiJ8tvFMaVpqw+YoCYF+7NCHsQPI 85GPCkWO+PaKiPqQYRGN8XMbF+0qSgr0PbR2W+WAanxqqMOAxxGRhme6KRX8WJlb5trW hUxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=MmGvlwXY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t18-v6si15593126pgj.144.2018.10.29.11.42.15; Mon, 29 Oct 2018 11:42:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=MmGvlwXY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728488AbeJ3DaU (ORCPT + 99 others); Mon, 29 Oct 2018 23:30:20 -0400 Received: from mta-p4.oit.umn.edu ([134.84.196.204]:55610 "EHLO mta-p4.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726364AbeJ3DaU (ORCPT ); Mon, 29 Oct 2018 23:30:20 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p4.oit.umn.edu (Postfix) with ESMTP id 7C1346CD for ; Mon, 29 Oct 2018 18:40:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:in-reply-to:references:mime-version:received:received :received; s=20160920; t=1540838426; x=1542652827; bh=uiJoZ2Fn5A 5d5SaI0Q68f9wc9ZRdYzEp9w+mxJ6RATE=; b=MmGvlwXYGiKLsm7XkIGUyfPxJa yJsrvgze1uOSS6n9rva9lc9i3Gspma3sMQUd4rIVbESo9N1EWwoJTxewFke3VOoB J0IENNOVN3PbhznowJY/d2UQCYJqBkEaWwXecmeYsS47pkiDoVYewdrZSPRVvr/M 9T3OnXNfkymo40ZCgi6NAFapG2jAGipMYEdtROlMpZEYnunNjHu+BMwkRL/z0oAh tnzdjmifdqPjOvCNDmenDYJi+Wb2MnFaho5ErzsUnvzM8GkTzvh8AumOYeq4CeqR 5VGKeK+c5eTmNIarXUN+fxvRhRqjPtUl9J475nnoeEhN4vcMMqGz1Etq9e9w== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p4.oit.umn.edu ([127.0.0.1]) by localhost (mta-p4.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HyKvJJu3o4Xa for ; Mon, 29 Oct 2018 13:40:26 -0500 (CDT) Received: from mail-io1-f50.google.com (mail-io1-f50.google.com [209.85.166.50]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p4.oit.umn.edu (Postfix) with ESMTPSA id 59B3914F for ; Mon, 29 Oct 2018 13:40:26 -0500 (CDT) Received: by mail-io1-f50.google.com with SMTP id c6-v6so5621646iob.11 for ; Mon, 29 Oct 2018 11:40:26 -0700 (PDT) X-Gm-Message-State: AGRZ1gJUvBKA8xaMsOvc3TwrIDHzr60Wh6Jxi27aDkOknyrx0r86RA/d Gni8KaPPhRxgmS8EUGwD0iVWmL5Dhc7x+Br/cqo= X-Received: by 2002:a6b:7f4d:: with SMTP id m13-v6mr9063173ioq.16.1540838426075; Mon, 29 Oct 2018 11:40:26 -0700 (PDT) MIME-Version: 1.0 References: <1539956812-11300-1-git-send-email-wang6495@umn.edu> In-Reply-To: <1539956812-11300-1-git-send-email-wang6495@umn.edu> From: Wenwen Wang Date: Mon, 29 Oct 2018 13:39:49 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] intel_th: Fix a missing-check bug To: Wenwen Wang Cc: Kangjie Lu , alexander.shishkin@linux.intel.com, open list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, Can anyone confirm this bug? Thanks! Wenwen On Fri, Oct 19, 2018 at 8:47 AM Wenwen Wang wrote: > > In msc_data_sz(), the 'valid_dw' field of the msc block descriptor 'bdesc' > is firstly checked to see whether the descriptor has a valid data width. If > yes, i.e., 'bdesc->valid_dw' is not 0, the data size of this descriptor > will be returned. It is worth noting that the data size is calculated from > 'bdesc->valid_dw'. The problem here is that 'bdesc' actually points to a > consistent DMA region, which is allocated through dma_alloc_coherent() in > msc_buffer_win_alloc(). Given that the device also has the permission to > access this DMA region, it is possible that a malicious device controlled > by an attacker can modify the 'valid_dw' field after the if statement but > before the return statement in msc_data_sz(). Through this way, the device > can bypass the check and supply unexpected data width. > > This patch copies the 'valid_dw' field to a local variable and then > performs the check and the calculation on the local variable to avoid the > above issue. > > Signed-off-by: Wenwen Wang > --- > drivers/hwtracing/intel_th/msu.h | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/hwtracing/intel_th/msu.h b/drivers/hwtracing/intel_th/msu.h > index 9cc8ace..b7d846e 100644 > --- a/drivers/hwtracing/intel_th/msu.h > +++ b/drivers/hwtracing/intel_th/msu.h > @@ -79,10 +79,12 @@ struct msc_block_desc { > > static inline unsigned long msc_data_sz(struct msc_block_desc *bdesc) > { > - if (!bdesc->valid_dw) > + u32 valid_dw = bdesc->valid_dw; > + > + if (!valid_dw) > return 0; > > - return bdesc->valid_dw * 4 - MSC_BDESC; > + return valid_dw * 4 - MSC_BDESC; > } > > static inline bool msc_block_wrapped(struct msc_block_desc *bdesc) > -- > 2.7.4 >