Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp13504pxb; Wed, 30 Mar 2022 21:26:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx8Y5b1ZvjOLkWdK4NcHKWS3wRQZEgT/GuJFNff1qBtWuP2MJXjndOZywh1+Ol3UDBNrRlj X-Received: by 2002:a17:90b:1e04:b0:1c6:fb36:9d93 with SMTP id pg4-20020a17090b1e0400b001c6fb369d93mr3776188pjb.57.1648700817066; Wed, 30 Mar 2022 21:26:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648700817; cv=none; d=google.com; s=arc-20160816; b=V9pX01en7BSgBaLlMCog2+7fmA3lPCEbOEeck1tiTc2OmJBy7ULl7GYmxzUDRX8aa/ tcmkF78lzmVujZ0m4vMlPaLssD0rAHUWSuLKZPo5x8rVtxD085cJCMnfolRQ9XEBsos1 wv/uQTPiS7l7Y+2YwwZs+y4V19qxMSntsaP8S1qPFU4JsDlZkE6OIAoD9aIebXU66cJW GiDg5UPIyiXLKOFdwjxOJj4mTGHqTKz8AorZ950U9Xbao1xF953uh55eBy27IJL2Zibj BahPka1nnP9OYw1DtMhRQzC9RJv9mik+J+F1Wd7fnlvFEmk+MOptVKrDx5gZV09gDnSO mVtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=nBBF2VpTbfKyFg0wz934E0HkMxY7pCGUs6VW3r6qEPk=; b=Orrz11H8/srvvoSICsXvc2Ou7BQ4Ro4pAwREeudJxnzxy9QF5aPpmY2ryjBKylWTny KUIjbQHaebGjWjK8lAzjuKJ0w9wfoPA0DyJO5rzT2DDt8rYRh0RunM2c6scLUQb9XJiM yqgIwiyRTEAAu6yA0br6OB7uYHvwYv0MDNS78wcV5oPRg6WNza58n46Jmx2UovZhD/iQ gTycyGta6WS4R3F2gvI/y9AIdyddqPxSpJuPzejmXwecUWBl8xk3gOwBP9ZuEtPAzLFm YQsuigPPBbirlB+JMBuqOaLB5euMGSc+aEGn29eDF2aahYtfwKu2QYqkH3p+2WF1/PBJ Hq/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id m1-20020a056a00164100b004fa3a8e0057si19914812pfc.270.2022.03.30.21.26.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Mar 2022 21:26:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5BDA91C4044; Wed, 30 Mar 2022 20:22:21 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347892AbiC3PIi (ORCPT + 99 others); Wed, 30 Mar 2022 11:08:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347830AbiC3PIU (ORCPT ); Wed, 30 Mar 2022 11:08:20 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7F1A1996B9 for ; Wed, 30 Mar 2022 08:06:35 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4907B1595; Wed, 30 Mar 2022 08:06:35 -0700 (PDT) Received: from e120937-lin.home (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id F04EA3F73B; Wed, 30 Mar 2022 08:06:33 -0700 (PDT) From: Cristian Marussi To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: sudeep.holla@arm.com, james.quinlan@broadcom.com, Jonathan.Cameron@Huawei.com, f.fainelli@gmail.com, etienne.carriere@linaro.org, vincent.guittot@linaro.org, souvik.chakravarty@arm.com, cristian.marussi@arm.com Subject: [PATCH 04/22] firmware: arm_scmi: Validate BASE_DISCOVER_LIST_PROTOCOLS reply Date: Wed, 30 Mar 2022 16:05:33 +0100 Message-Id: <20220330150551.2573938-5-cristian.marussi@arm.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220330150551.2573938-1-cristian.marussi@arm.com> References: <20220330150551.2573938-1-cristian.marussi@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Do not blindly trust SCMI backend server reply about list of implemented protocols, instead validate the reported length of the list of protocols against the real payload size of the message reply. Fixes: b6f20ff8bd9 ("firmware: arm_scmi: add common infrastructure and support for base protocol") Signed-off-by: Cristian Marussi --- drivers/firmware/arm_scmi/base.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c index f279146f8110..c1165d1282ef 100644 --- a/drivers/firmware/arm_scmi/base.c +++ b/drivers/firmware/arm_scmi/base.c @@ -189,6 +189,9 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph, list = t->rx.buf + sizeof(*num_ret); do { + size_t real_list_sz; + u32 calc_list_sz; + /* Set the number of protocols to be skipped/already read */ *num_skip = cpu_to_le32(tot_num_ret); @@ -202,6 +205,24 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph, break; } + if (t->rx.len < (sizeof(u32) * 2)) { + dev_err(dev, "Truncated reply - rx.len:%zd\n", + t->rx.len); + ret = -EPROTO; + break; + } + + real_list_sz = t->rx.len - sizeof(u32); + calc_list_sz = ((loop_num_ret / sizeof(u32)) + + !!(loop_num_ret % sizeof(u32))) * sizeof(u32); + if (calc_list_sz != real_list_sz) { + dev_err(dev, + "Malformed reply - real_sz:%zd calc_sz:%u\n", + real_list_sz, calc_list_sz); + ret = -EPROTO; + break; + } + for (loop = 0; loop < loop_num_ret; loop++) protocols_imp[tot_num_ret + loop] = *(list + loop); -- 2.32.0