Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1039238ybz; Wed, 29 Apr 2020 13:54:45 -0700 (PDT) X-Google-Smtp-Source: APiQypLA7Pjc1oRF5gRYEgCYmXjtu+cO1k0HDa7Hb1WtztxS2mwKTEUpNsVCmtX++VRLFBv233LW X-Received: by 2002:a05:6402:1a2f:: with SMTP id be15mr4292881edb.385.1588193685561; Wed, 29 Apr 2020 13:54:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588193685; cv=none; d=google.com; s=arc-20160816; b=EsSJwm54/2ez+qBi4Zp/CaX2RUaaMIdkOAmgcxYoOg8mrqrOBeyioxRrGEjfLU4ezh QNNnilaRlmP5jPOUO6/3OagjnlQB/wizk6uNidVaei9jxwJZtWDczDpC7yigeL8WgrF4 qrZCjX2G8SnGsi0v7olWHX8hclZWU4l+tQDJ0b1cv4A+xaWpovWJUKTTimuP0jfxyWZu SUdyslGnBwVH/yq9lnOJ8zoUwvNFCKJ6/hTDGKUiPJy6DcNZ2Ks6N/CiB4cYzPWT8vQp lalG/IhmaZhlv2BhO5quqvv1rG+NKSS1PxNToEet2g3beT5kFwu9CC/3db6cQXHn52JH WQaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dmarc-filter:dkim-signature; bh=qRdYWMIAcK9FRaoesTP+Q+KhDEjeUPFIsX7HKgjdxQ8=; b=ZnLKzwk8Rx7PH4tpdfWy66uL4v9HQrYbDrmEFB16MnbQT0ojSp9GU+y+FOVwyQK3XK jBqG+TSXyquaq68ObyEHnjHxkyDDkNGvx1eRXmeThYpJNnGZMD5zFNKWqzMKoZa4yfAL +29j0smf4L8WJHWLFePsh4ojLkEzju/zQd+gQzNFJyWzb8YppbD6oHZy9W6MIlbUT9kh kNkPXipJAIZXnDv8Xb/aw5aC3dS2O1P6zUMfctTnU8KzUa9RopmE9lEmmhsfu9HY+vkH WEt1cBxEfnfPxHYNHMeRJ0ggkgGo37J+Aik+ih382WJXkeiFNLe8sghftUVDx7DvYBOV 1nwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=Hdf6TXEV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v22si4590934ejw.454.2020.04.29.13.54.22; Wed, 29 Apr 2020 13:54:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=Hdf6TXEV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727824AbgD2Uwy (ORCPT + 99 others); Wed, 29 Apr 2020 16:52:54 -0400 Received: from mail26.static.mailgun.info ([104.130.122.26]:19546 "EHLO mail26.static.mailgun.info" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727122AbgD2Uwr (ORCPT ); Wed, 29 Apr 2020 16:52:47 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1588193567; h=References: In-Reply-To: Message-Id: Date: Subject: Cc: To: From: Sender; bh=qRdYWMIAcK9FRaoesTP+Q+KhDEjeUPFIsX7HKgjdxQ8=; b=Hdf6TXEVj63m9dlG1Bfj7spbz0y0Iuh0Mq5Sir70nkaoYXaz0iPv5ItionbspisHlA5pxk2K QKdOzvb1K5Q9eb2vVAKfR7z9n/f+gxx6uKsCtBmlmAqDatQNuDlHd4k8XZHaGV+XS4dnfqji FIVcNtLrgh40Mr98cULm2fOVq6c= X-Mailgun-Sending-Ip: 104.130.122.26 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by mxa.mailgun.org with ESMTP id 5ea9e918.7f5a2d5d9ab0-smtp-out-n05; Wed, 29 Apr 2020 20:52:40 -0000 (UTC) Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 80ABBC433F2; Wed, 29 Apr 2020 20:52:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED,SPF_NONE autolearn=ham autolearn_force=no version=3.4.0 Received: from bbhatt-linux.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bbhatt) by smtp.codeaurora.org (Postfix) with ESMTPSA id F02A0C4478C; Wed, 29 Apr 2020 20:52:38 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org F02A0C4478C Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=none smtp.mailfrom=bbhatt@codeaurora.org From: Bhaumik Bhatt To: mani@kernel.org Cc: linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, hemantk@codeaurora.org, jhugo@codeaurora.org, Bhaumik Bhatt Subject: [PATCH v3 4/9] bus: mhi: core: Read transfer length from an event properly Date: Wed, 29 Apr 2020 13:52:26 -0700 Message-Id: <1588193551-31439-5-git-send-email-bbhatt@codeaurora.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1588193551-31439-1-git-send-email-bbhatt@codeaurora.org> References: <1588193551-31439-1-git-send-email-bbhatt@codeaurora.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hemant Kumar When MHI Driver receives an EOT event, it reads xfer_len from the event in the last TRE. The value is under control of the MHI device and never validated by Host MHI driver. The value should never be larger than the real size of the buffer but a malicious device can set the value 0xFFFF as maximum. This causes driver to memory overflow (both read or write). Fix this issue by reading minimum of transfer length from event and the buffer length provided. Signed-off-by: Hemant Kumar Signed-off-by: Bhaumik Bhatt --- drivers/bus/mhi/core/main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c index b8e4aac..0afbaa1 100644 --- a/drivers/bus/mhi/core/main.c +++ b/drivers/bus/mhi/core/main.c @@ -521,7 +521,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, mhi_cntrl->unmap_single(mhi_cntrl, buf_info); result.buf_addr = buf_info->cb_buf; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = + min_t(u16, xfer_len, buf_info->len); mhi_del_ring_element(mhi_cntrl, buf_ring); mhi_del_ring_element(mhi_cntrl, tre_ring); local_rp = tre_ring->rp; -- The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project