Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5098267ybv; Tue, 11 Feb 2020 09:07:59 -0800 (PST) X-Google-Smtp-Source: APXvYqzDw9Hf0oObNM+ZSCffHOqz2IB/GEsb8BEguPCSbk3AcsGvaC2uC9uuytnoa1mnqI7gilmd X-Received: by 2002:a9d:3b09:: with SMTP id z9mr6074921otb.195.1581440879472; Tue, 11 Feb 2020 09:07:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581440879; cv=none; d=google.com; s=arc-20160816; b=lpVMWjNI3v7GaYd9KyY3UB33phiKU/aCDG8IKOxAPI6fXRtsUrnUMb4B+YaYP2xkoc TOh3qH7+IT1QArVUx47V3vpu0PicYl+Om5VTjmiGoI2tfEQ1MENoQP6G3zZ34EeA8RyC JuGQSIu9pFjQkw433jsdYdDBFCKi6LUhRMw1Epzq+kxV0ihD5R+w0oec/16RsIQE0f0k fFZUROgFhAyMzccIB7vkMsZwtjQlykjvh/0iQ1s8du2vdeZCY+hDpVAY1ZSkOj9rD4iU 1GT+tqw6ORJcB7uJYfHqwMvCE3xOxQnQNMkxMCs40ZuyPOpVfxwGis9KY49L5fsBYlbo 3woA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=huxy+06Dy+yNK845pHnqhikfUb4a1JjlE18pHYo3lI4=; b=TVjtKTkMDzF7jTM6mkodx5t6NKqz1x0eslv5ccFWJ7kibG2t41IJSZ1CVc8A8eV0eJ w3yqIRKA43Eim2ri8YI8yv3tCQ4bIlPPgjybrp1SWSOvRmyMcw4G+SKh+lj/ukaFHBON mNNrRdKNXYvkmRgS0gTTiDdKGgijjMqEpT4g1J/5f6n/JI0GbsOSLiqCL0pZ3DmTgJ5g WnLhheCYdwh10q2gR/Ds5Bp/sJBP3UxxhZRfS7MkfvOqiyDhWYLPrEL1icW1V9vAIoVr MpnLiuAQai/Du3YwMiuDlGNYfKbtz489NcwJUUdCXFkMO6Lggn4lxo3N3wMyzLu1tTsW mRdw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r82si1934572oie.116.2020.02.11.09.07.44; Tue, 11 Feb 2020 09:07:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729890AbgBKQFb (ORCPT + 99 others); Tue, 11 Feb 2020 11:05:31 -0500 Received: from mga02.intel.com ([134.134.136.20]:46677 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728102AbgBKQFa (ORCPT ); Tue, 11 Feb 2020 11:05:30 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Feb 2020 08:05:30 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,428,1574150400"; d="scan'208";a="256514604" Received: from twinkler-lnx.jer.intel.com ([10.12.91.155]) by fmsmga004.fm.intel.com with ESMTP; 11 Feb 2020 08:05:28 -0800 From: Tomas Winkler To: Greg Kroah-Hartman Cc: Alexander Usyskin , linux-kernel@vger.kernel.org, Tomas Winkler Subject: [char-misc-next] mei: limit number of bytes in mei header. Date: Tue, 11 Feb 2020 18:05:22 +0200 Message-Id: <20200211160522.7562-1-tomas.winkler@intel.com> X-Mailer: git-send-email 2.21.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The MEI message header provides only 9 bits for storing the message size, limiting to 511. In theory the host buffer (hbuf) can contain up to 1020 bytes (limited by byte = 255 * 4) With the current hardware and hbuf size 512, this is not a real issue, but as hardening approach we enforce the limit. Signed-off-by: Tomas Winkler --- drivers/misc/mei/client.c | 4 ++-- drivers/misc/mei/hw.h | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/misc/mei/client.c b/drivers/misc/mei/client.c index 1e3edbbacb1e..204d807e755b 100644 --- a/drivers/misc/mei/client.c +++ b/drivers/misc/mei/client.c @@ -1585,7 +1585,7 @@ int mei_cl_irq_write(struct mei_cl *cl, struct mei_cl_cb *cb, goto err; } - hbuf_len = mei_slots2data(hbuf_slots); + hbuf_len = mei_slots2data(hbuf_slots) & MEI_MSG_MAX_LEN_MASK; dr_slots = mei_dma_ring_empty_slots(dev); dr_len = mei_slots2data(dr_slots); @@ -1718,7 +1718,7 @@ ssize_t mei_cl_write(struct mei_cl *cl, struct mei_cl_cb *cb) goto out; } - hbuf_len = mei_slots2data(hbuf_slots); + hbuf_len = mei_slots2data(hbuf_slots) & MEI_MSG_MAX_LEN_MASK; dr_slots = mei_dma_ring_empty_slots(dev); dr_len = mei_slots2data(dr_slots); diff --git a/drivers/misc/mei/hw.h b/drivers/misc/mei/hw.h index d025a5f8317e..8231b6941adf 100644 --- a/drivers/misc/mei/hw.h +++ b/drivers/misc/mei/hw.h @@ -209,6 +209,9 @@ struct mei_msg_hdr { u32 extension[0]; } __packed; +/* The length is up to 9 bits */ +#define MEI_MSG_MAX_LEN_MASK GENMASK(9, 0) + #define MEI_MSG_HDR_MAX 2 struct mei_bus_message { -- 2.21.1