Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1506919ybk; Thu, 21 May 2020 08:28:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFNRBMUZvLHBHP7zUXDSH0aiUhNH3Ew61mU5zFM6nlYN+X4clrAaF01l8CG/2jXcnmTxvP X-Received: by 2002:a17:906:17c1:: with SMTP id u1mr4289518eje.47.1590074929396; Thu, 21 May 2020 08:28:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590074929; cv=none; d=google.com; s=arc-20160816; b=TFyJ2wUd1sWbt44D5RqsaH5X7ss09mq/SatpoeJHz3KV5V1E93bAgjCOSWV5v2cNFo 8NGaKqWubvLKcRv8sBowxGbo8mzqO/edK0/yRT01NZX5ym1DwMTTSd6XX02s7xV/VBT3 /nBg9sUx6SLp+4twVCvZHQ+ykTG86eNxFVPvFViQDJOzBhWL1lWjHJGfNDmYScx8jn96 wsQMkGfwSQPxJxP4JLHiSlRXR1MW4QHIg+y0U9yr4SE/Ibfjt7e3YAxpY/FGoc4fkshT HJ3O/k+tRCZhO8cTcdYM+ftjNYAFEyt93T0rUT9aeAYhj28vwlyBFg0L/Gfq+16Oay0W r36g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=YO85pzZBnTJZU2dOh6IKQorohi+HCFUKGK3bRhtQ+3w=; b=VvMs3aRlr6lh5VJeauapRuOrx39Aok0HJaKngl0FhYM4IxYkPoUJFHuo96mC+8R7c8 CvJClJvu/sEQV1nmXTfZF2LhockqxlWx2LidtOj4RkmYzuUYHch4JNllqmiHOWMzntxT /8uaNkNtl1itggEqmDOnUWyi20K6XwsrAGWZwW7Xm+/1AtcUpE945tXJZzO/8ybn9tBK uSA2drjdrrSuFt++ge/Oe0MKlPgEsnQxm9O4/3m4XIqQl7B8BUTnwdHY4N4tT8XS+iHl k0rWprvODNct5paZthFYDc1nOpe4/k56BaQtdSlh6wvghqN4uYB97E6wY3V9Fyu2Kuj6 Z5iw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LNGKNcaI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l6si3494780ejn.133.2020.05.21.08.28.26; Thu, 21 May 2020 08:28:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LNGKNcaI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730136AbgEUP0P (ORCPT + 99 others); Thu, 21 May 2020 11:26:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:34258 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730456AbgEUP0M (ORCPT ); Thu, 21 May 2020 11:26:12 -0400 Received: from localhost.localdomain (unknown [157.51.235.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5BEB4207D8; Thu, 21 May 2020 15:26:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590074772; bh=jHhhgwwpysg3wUnqnfQpkJN4YsEugW4Huv4OE1HIiWE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LNGKNcaI4mjZxJ8+7JLEzVvnzAmYjpxHPyWA0iiHvCfcZFDU4HlW9AbQ1quizfVbR 426vERFb+GHQKQMTh0skSx98/dscQhmlJZG7zyaE4VHDz1uji37VW8TJ2hhrleqrdN NLdaAmYpApcSOm9QhUBOALichnYcoFXXUSvfzmYU= From: mani@kernel.org To: gregkh@linuxfoundation.org Cc: hemantk@codeaurora.org, jhugo@codeaurora.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, Bhaumik Bhatt , Manivannan Sadhasivam Subject: [PATCH 04/14] bus: mhi: core: Read transfer length from an event properly Date: Thu, 21 May 2020 20:55:30 +0530 Message-Id: <20200521152540.17335-5-mani@kernel.org> X-Mailer: git-send-email 2.26.GIT In-Reply-To: <20200521152540.17335-1-mani@kernel.org> References: <20200521152540.17335-1-mani@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hemant Kumar When MHI Driver receives an EOT event, it reads xfer_len from the event in the last TRE. The value is under control of the MHI device and never validated by Host MHI driver. The value should never be larger than the real size of the buffer but a malicious device can set the value 0xFFFF as maximum. This causes driver to memory overflow (both read or write). Fix this issue by reading minimum of transfer length from event and the buffer length provided. Signed-off-by: Hemant Kumar Signed-off-by: Bhaumik Bhatt Reviewed-by: Jeffrey Hugo Reviewed-by: Manivannan Sadhasivam Signed-off-by: Manivannan Sadhasivam --- drivers/bus/mhi/core/main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c index 64022865cb75..a394691d9383 100644 --- a/drivers/bus/mhi/core/main.c +++ b/drivers/bus/mhi/core/main.c @@ -513,7 +513,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, mhi_cntrl->unmap_single(mhi_cntrl, buf_info); result.buf_addr = buf_info->cb_buf; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = + min_t(u16, xfer_len, buf_info->len); mhi_del_ring_element(mhi_cntrl, buf_ring); mhi_del_ring_element(mhi_cntrl, tre_ring); local_rp = tre_ring->rp; @@ -597,7 +600,9 @@ static int parse_rsc_event(struct mhi_controller *mhi_cntrl, result.transaction_status = (ev_code == MHI_EV_CC_OVERFLOW) ? -EOVERFLOW : 0; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = min_t(u16, xfer_len, buf_info->len); result.buf_addr = buf_info->cb_buf; result.dir = mhi_chan->dir; -- 2.26.GIT