Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp85500ybk; Fri, 8 May 2020 19:31:34 -0700 (PDT) X-Google-Smtp-Source: APiQypJWUG1JCY/olpLAArgAljm6DlPzmGUP7gG8HJr4cqxWPs4caIZcb8ZWX6j472LI1spVBzyz X-Received: by 2002:a50:fa8d:: with SMTP id w13mr640316edr.280.1588991494394; Fri, 08 May 2020 19:31:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588991494; cv=none; d=google.com; s=arc-20160816; b=OpcdkGCask3L9g178tb8RwIEwDvksTxUno8Rbiege+8fZvD57dYCjEeBt5Gw0nV7V9 cYunX6brzS8CcwKgDN0cWQyy2+B7oxAw5xVp55ZcULWgIX7puw0sBCyyRCD8btA7b8WV oPK32C9/H8VLDyjPH73F/OPI8sn7iu77FwFqUMpywasyQmxI1jRTrXq50ZZU4kefwMoB f8Sy7PSiilkEphUM17RKQPjdDE6yguWrmTxehItBe1KiR78pHJn2JZ0r3BB9JqQlZpsb BSpBJLK3ZDh/bWO3dWsHsNkq//eN8azKhps7r16/Bp7YlNkdG67qk/39KVELqrcjZnK/ 7JhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dmarc-filter:dkim-signature; bh=oIDOJLzXeYFtKjt9E+V1Vu0PWwP2acSWgf79prutm/Q=; b=BXLptf9hAHrrM707ZAedcQiT1EzODnC5ZhNXnSIV3pYPx3mNXtJzXO3PXq9K9RtI47 tcYA2FcPr2lJhJ3jYJCVB4e0A3WKniC1rkD6d1eqks5LeL9LqXM82Lo8L3BK5hTe2wiH l5iiQJTWR2PjVdH3GkAHAMjW+kuhcmkuq47U8lRH66NYo5R/oiwqKkKRxf9XvqETZ/kg hD2DBnkTN10dfTI/EGGA90g0k6UYaxZxm1tU8cbZebaoJHZ0Sf7P//dhxatYe7C43q4f MNlarBQd0syFEFIgXSXSR/oKUOChF/KHLvvTVqnpJ5LqM1n39CDLJW4ZfduUfPIjXoHX a5ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b="GGsEpE/D"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f16si1393268ejx.401.2020.05.08.19.31.11; Fri, 08 May 2020 19:31:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b="GGsEpE/D"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728636AbgEIC1G (ORCPT + 99 others); Fri, 8 May 2020 22:27:06 -0400 Received: from mail27.static.mailgun.info ([104.130.122.27]:52396 "EHLO mail27.static.mailgun.info" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728638AbgEIC1C (ORCPT ); Fri, 8 May 2020 22:27:02 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1588991221; h=References: In-Reply-To: Message-Id: Date: Subject: Cc: To: From: Sender; bh=oIDOJLzXeYFtKjt9E+V1Vu0PWwP2acSWgf79prutm/Q=; b=GGsEpE/D/IlsYdt6ta165KmOW6ZpOLI/K/sf5FYL0W3RRL7R/iwIJP03zA9zbTzIOqnsLgUi AY2uUY1nIijKU4Epx035yl7XWPwIWPB4oBsygtS2h4pAi7m2UKCswdH18CjnhkLDE09ccwTw QoTBup4gi155jNmL9csYtPSoTCQ= X-Mailgun-Sending-Ip: 104.130.122.27 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by mxa.mailgun.org with ESMTP id 5eb614f2.7f106126a260-smtp-out-n01; Sat, 09 May 2020 02:26:58 -0000 (UTC) Received: by smtp.codeaurora.org (Postfix, from userid 1001) id AA25CC43637; Sat, 9 May 2020 02:26:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED,SPF_NONE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from bbhatt-linux.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bbhatt) by smtp.codeaurora.org (Postfix) with ESMTPSA id 732E2C44791; Sat, 9 May 2020 02:26:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 732E2C44791 Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=none smtp.mailfrom=bbhatt@codeaurora.org From: Bhaumik Bhatt To: manivannan.sadhasivam@linaro.org Cc: linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, hemantk@codeaurora.org, jhugo@codeaurora.org, Bhaumik Bhatt Subject: [PATCH v7 4/8] bus: mhi: core: Read transfer length from an event properly Date: Fri, 8 May 2020 19:26:44 -0700 Message-Id: <1588991208-26928-5-git-send-email-bbhatt@codeaurora.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1588991208-26928-1-git-send-email-bbhatt@codeaurora.org> References: <1588991208-26928-1-git-send-email-bbhatt@codeaurora.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hemant Kumar When MHI Driver receives an EOT event, it reads xfer_len from the event in the last TRE. The value is under control of the MHI device and never validated by Host MHI driver. The value should never be larger than the real size of the buffer but a malicious device can set the value 0xFFFF as maximum. This causes driver to memory overflow (both read or write). Fix this issue by reading minimum of transfer length from event and the buffer length provided. Signed-off-by: Hemant Kumar Signed-off-by: Bhaumik Bhatt Reviewed-by: Jeffrey Hugo --- drivers/bus/mhi/core/main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c index 30798ec..6a80666 100644 --- a/drivers/bus/mhi/core/main.c +++ b/drivers/bus/mhi/core/main.c @@ -514,7 +514,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, mhi_cntrl->unmap_single(mhi_cntrl, buf_info); result.buf_addr = buf_info->cb_buf; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = + min_t(u16, xfer_len, buf_info->len); mhi_del_ring_element(mhi_cntrl, buf_ring); mhi_del_ring_element(mhi_cntrl, tre_ring); local_rp = tre_ring->rp; @@ -598,7 +601,9 @@ static int parse_rsc_event(struct mhi_controller *mhi_cntrl, result.transaction_status = (ev_code == MHI_EV_CC_OVERFLOW) ? -EOVERFLOW : 0; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = min_t(u16, xfer_len, buf_info->len); result.buf_addr = buf_info->cb_buf; result.dir = mhi_chan->dir; -- The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project