Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp180111ybg;
        Sun, 31 May 2020 21:14:43 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzyROSQMAf92PjQHjoKR6ZusZzAikt8cL7T0NvRjvtyU3a1DiE8GdqLR1qOIIF3XFngdgqN
X-Received: by 2002:a50:e1c5:: with SMTP id m5mr20013794edl.47.1590984883010;
        Sun, 31 May 2020 21:14:43 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1590984883; cv=pass;
        d=google.com; s=arc-20160816;
        b=i5Wya6iB594LjE/tc44mIfCIT+b9i0uzJAOJpH65L8zmDDEVtmnZYmBvST92dF8dL+
         YgxlYP8O8/IsfIeelsah9F449V+UGh0S7kLvoNPKtdBRt9jS7DZ7ZpYuDZA/qKS6fsfA
         m6O3EUtLiLCeJCMBIg5lvIMGF9A1SpddFgjYuvxpjJwCW+Ozes6+4CQ2TJmOeMnphncw
         BX78v5ofX/5CbJRlWXcqb+AV0md5VzibaBEiuHRfgouTjkK3bb/AGbah1nkxik+I9VPJ
         Y5SPwlqI5I9FLi1qFALnQO+HSNvQ+9hKXGZFhjAkr5sTx/cXN8DahjSDikq1Fe2wKWDN
         bgrQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-id:content-language:accept-language:in-reply-to:references
         :message-id:date:thread-index:thread-topic:subject:cc:to:from
         :dkim-signature;
        bh=YFfFnY0ADOOvtSrSXBhw7R8nAv2iCDo/O1xodSTWU2E=;
        b=TTkdsM6PNaIl2Vj0JNrlx7dOiBEKhPdwjEyu+C+XiUWsWDyB3NNDrdXClh3mttIi98
         ksn3E7OWFFnuVNiaY/10bJA4spVpOabC9s9Pn2ceTbKEnD9URm+3enoqUOfBcnRzPe8R
         J5xi4Sl/TqsUibQ/Ty9TRbVN+oKOqTjnDLPoH+7BaKjg7UBEIhEOwobWKe2N28OtI8+j
         kAPL11/B7WjjXbcE+N7bDyQ1V+ILkQtECv2sxCURb79EfCc3Vg9fcB2SdAkklpRddkxE
         hc/mTftKl1pLR5630ll4c9hYbn0PkEjvFEYriLL8/sQQZ4SUIE3L/C+rN++4v10WYIVO
         DhAQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@nxp.com header.s=selector2 header.b=Mn0CZDgZ;
       arc=pass (i=1 spf=pass spfdomain=nxp.com dkim=pass dkdomain=nxp.com dmarc=pass fromdomain=nxp.com);
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id dj17si10013726edb.556.2020.05.31.21.14.20;
        Sun, 31 May 2020 21:14:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@nxp.com header.s=selector2 header.b=Mn0CZDgZ;
       arc=pass (i=1 spf=pass spfdomain=nxp.com dkim=pass dkdomain=nxp.com dmarc=pass fromdomain=nxp.com);
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725970AbgFAEK3 (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Mon, 1 Jun 2020 00:10:29 -0400
Received: from mail-eopbgr20070.outbound.protection.outlook.com ([40.107.2.70]:25599
        "EHLO EUR02-VE1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1725290AbgFAEK2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 1 Jun 2020 00:10:28 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=awftJkezXB3iVGT/ugtKGHqWE2pOn2OsmrX8gCRmGEaAlxmGZD1ArZGRyOx9bdTp29By37FXEr32paluyaFA7A4o8lrMAJIDn5RMOag4CtAz32N9QcT/Gf8V6izr1DgEZns3AJ4bPRLUB15isxU2Zgno1x6eWDfAXWREATru5x8SUh/4Z3wswp5wJCLwIPAK4GBVP3q30Ym9YmCk6Bvf3WUHbi5fiWtu5NA4QEUEFsfoDvfVKkpwqTwYWeWiKMyLYNOVuaSpzJvVdrQ5KaiM0WPDs1wc1yotPVy1lUYl+J1ha21g2W+5ttDZHeu7gFUUDq414VTCOyEkTsLxL5KWwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=YFfFnY0ADOOvtSrSXBhw7R8nAv2iCDo/O1xodSTWU2E=;
 b=jrcOKQQ90k/4xv/jSItZs1aPl3FBsuk5oSLofypLId8QqgsQcxf5sy8hLOEcv/tv8FH7HcsHFNO8JMxB7uAxyWedg3D/sPvg7POq6Vl7Ek4SRaYsX/p2kk0Mobs0ucCt3q/g/lpRi2Xl3E4geK+MwGxlCex3UBhKFI4dObYhU4WJaHyCH1VYWeHUYm9ZEFirJ9G8jefc9fUNSU/loZ5tWhFb9YIfrTFkFWPRUFl4tAvIZNvA/eYirZMLFhMt1UJXdigJWuxaCIbFCJDSVPRp/a1uOD3PwvZ4hO2Iy2ZwH1ICuCzpyjBMTLCH4JRYHHMZP7BbjdIUZU4KIa9K4QBacA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass
 header.d=nxp.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=YFfFnY0ADOOvtSrSXBhw7R8nAv2iCDo/O1xodSTWU2E=;
 b=Mn0CZDgZsKLsZMFlSoDw5tk2/NA6894O5qzpgnAXRagl++Igq4H0i2y5C+fNRuH9O0357T2UxVEBl4dnWuon2nHsY33LwTO6Ea58e1tTqY8MDzqX5uvn2WVnPo6IcdLUTlMsYuYZZkDxWdItVrMWTOM0m1fmA/D6Rx0+02/NU/4=
Received: from AM7PR04MB7157.eurprd04.prod.outlook.com (2603:10a6:20b:118::20)
 by AM7PR04MB7096.eurprd04.prod.outlook.com (2603:10a6:20b:113::15) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.17; Mon, 1 Jun
 2020 04:10:24 +0000
Received: from AM7PR04MB7157.eurprd04.prod.outlook.com
 ([fe80::1101:adaa:ee89:af2a]) by AM7PR04MB7157.eurprd04.prod.outlook.com
 ([fe80::1101:adaa:ee89:af2a%3]) with mapi id 15.20.3045.024; Mon, 1 Jun 2020
 04:10:24 +0000
From:   Peter Chen <peter.chen@nxp.com>
To:     Jia-Ju Bai <baijiaju1990@gmail.com>
CC:     "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        "balbi@kernel.org" <balbi@kernel.org>,
        "pawell@cadence.com" <pawell@cadence.com>,
        "rogerq@ti.com" <rogerq@ti.com>,
        "colin.king@canonical.com" <colin.king@canonical.com>,
        "yuehaibing@huawei.com" <yuehaibing@huawei.com>,
        "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] usb: cdns3: fix possible buffer overflow caused by bad
 DMA value
Thread-Topic: [PATCH] usb: cdns3: fix possible buffer overflow caused by bad
 DMA value
Thread-Index: AQHWNjHPz6qvJgpZ+karMYRZFy9ss6jDKN4A
Date:   Mon, 1 Jun 2020 04:10:24 +0000
Message-ID: <20200601041048.GB13752@b29397-desktop>
References: <20200530032400.12743-1-baijiaju1990@gmail.com>
In-Reply-To: <20200530032400.12743-1-baijiaju1990@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: gmail.com; dkim=none (message not signed)
 header.d=none;gmail.com; dmarc=none action=none header.from=nxp.com;
x-originating-ip: [119.31.174.66]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 28dd596c-3efd-49fb-026b-08d805e1b592
x-ms-traffictypediagnostic: AM7PR04MB7096:
x-microsoft-antispam-prvs: <AM7PR04MB7096408699CAD54F25AD47AF8B8A0@AM7PR04MB7096.eurprd04.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0421BF7135
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: A2pk6eyvjeSKTXuzVZYtWz/3PcF3NJvQczPwLSHPwySUMvILC+QEiwhAkeow0jSBBU3aD0Ccy9i5itJEcwXbQna7FExq5nEYtPHZmPJojraoJWg8hptC8u6OMzuYqNVvCpU9YL4QjES+idXGkBDfhnywMSX1rFbW5/DHYDBnaCggndT8MJdNPCLVXZMbdE5tQJyOJv1ajkqIQyX3KycQx/A6vOoEK1JIPNygiNdI8b7/r4LAK83Gllkb8yz/+VHadlGft8Qa17UKh/NyXmW/bPoGwwPRxuJYXdDjNGcQf49utohNW6XF8MgSInIi6WFBOzfuA3PqVDyPndIHp6Q0DA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM7PR04MB7157.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(7916004)(4636009)(346002)(376002)(136003)(396003)(366004)(39860400002)(66556008)(478600001)(64756008)(66446008)(9686003)(6512007)(8676002)(5660300002)(316002)(91956017)(76116006)(8936002)(4326008)(1076003)(66946007)(66476007)(44832011)(54906003)(2906002)(71200400001)(186003)(26005)(53546011)(6506007)(83380400001)(6486002)(6916009)(33656002)(33716001)(86362001);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata: Mx7HIYQ+L2PQEESqzVcaT1eKvl/LPaGd/Bv47orp+SbugaARaV2AX/uXtE8AsIRfKcoU+OnQsDRYdudj+G6a9nvK5MrehAAzQpxCMCcKCwznrUt9IaNeZBp7P4/kbTF9mQkHW1GJyk0NLcms6lIAKDX6Xw7UB0GXPnvWdC2QwjADOwBMblw/ulRN8oelzWPSOaDwTGH0CjvLng42KcWPqTAkllG03TPbNgX0fvcEKD09TMLveQbLYGEleFb2mrUeAEsNGdIZmNoUBeySe858MmWE54a8LugDECFZXmg7zzrZjpPxGkgiWJqlCaigJneEGdaLfTXcqD3LLg5qXasHTsUBevlgqYTFx6OMzvn+/IVJUOIO4WJFQf17vQcDqiERKpzzcl7ViLFb9vY4MQ3jB3XdbyPNOYaNa5ckApUDhFzBejoZzu2/f30J0qSTFljfDTSOo3tc60WVuGr7gd2llYBy1sFPyzYm0gOsQZ8RgCw=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <8DFBDA757AA7E047A20991C996909877@eurprd04.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nxp.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 28dd596c-3efd-49fb-026b-08d805e1b592
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jun 2020 04:10:24.2959
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UT6gjy/IQETs6N5KOPBsIiYgrw056Eq/YEV1Xjq43k0ila94ietYwMdsx0dhMOzZWug8OBBQFm93Ho5I/ITLhw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR04MB7096
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 20-05-30 11:24:00, Jia-Ju Bai wrote:
> In cdns3_ep0_setup_phase():
>   struct usb_ctrlrequest *ctrl =3D priv_dev->setup_buf;
>=20
> Because priv_dev->setup_buf (allocated in cdns3_gadget_start) is stored=20
> in DMA memory, and thus ctrl is a DMA value.
>=20
> cdns3_ep0_setup_phase()
>   cdns3_ep0_standard_request(priv_dev, ctrl)
>     cdns3_req_ep0_get_status(priv_dev, ctrl)
>       index =3D cdns3_ep_addr_to_index(ctrl->wIndex);
>       priv_ep =3D priv_dev->eps[index];
>=20
> cdns3_ep0_setup_phase()
>   cdns3_ep0_standard_request(priv_dev, ctrl)
>     cdns3_req_ep0_handle_feature(priv_dev, ctrl_req, 0)
>       cdns3_ep0_feature_handle_endpoint(priv_dev, ctrl, set)
>         index =3D cdns3_ep_addr_to_index(ctrl->wIndex);
>         priv_ep =3D priv_dev->eps[index];
>=20
> In these cases, ctrl->wIndex can be be modified at anytime by malicious
> hardware, and thus a buffer overflow can occur when the code
> "priv_dev->eps[index]" is executed.
>=20

Did you see the setup buffer is overwritten before the setup handling is
finished?

> To fix these possible bugs, index is checked before being used.

I think the better fix is to use one additional buffer for struct
usb_ctrlrequest, and copy the dma_buf to it after setup packet
has received, then use the value stored in this buffer for later
operation, it could avoid quitting the code which is useful in fact.

Peter

>=20
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
>  drivers/usb/cdns3/ep0.c | 5 +++++
>  1 file changed, 5 insertions(+)
>=20
> diff --git a/drivers/usb/cdns3/ep0.c b/drivers/usb/cdns3/ep0.c
> index e71240b386b4..0a80c7ade613 100644
> --- a/drivers/usb/cdns3/ep0.c
> +++ b/drivers/usb/cdns3/ep0.c
> @@ -265,6 +265,8 @@ static int cdns3_req_ep0_get_status(struct cdns3_devi=
ce *priv_dev,
>  		return cdns3_ep0_delegate_req(priv_dev, ctrl);
>  	case USB_RECIP_ENDPOINT:
>  		index =3D cdns3_ep_addr_to_index(ctrl->wIndex);
> +		if (index >=3D CDNS3_ENDPOINTS_MAX_COUNT)
> +			return -EINVAL;
>  		priv_ep =3D priv_dev->eps[index];
> =20
>  		/* check if endpoint is stalled or stall is pending */
> @@ -388,6 +390,9 @@ static int cdns3_ep0_feature_handle_endpoint(struct c=
dns3_device *priv_dev,
>  		return 0;
> =20
>  	index =3D cdns3_ep_addr_to_index(ctrl->wIndex);
> +	if (index >=3D CDNS3_ENDPOINTS_MAX_COUNT)
> +		return -EINVAL;
> +
>  	priv_ep =3D priv_dev->eps[index];
> =20
>  	cdns3_select_ep(priv_dev, ctrl->wIndex);
> --=20
> 2.17.1
>=20

--=20

Thanks,
Peter Chen=