Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp481623iob; Thu, 28 Apr 2022 06:45:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqFxbrT0ZJ2yyb988HR5F3+Q/DXU0Uc4DxlwweUa75ldbhOcZ2xHWwEfhRwu9/kejpDY9P X-Received: by 2002:a62:c545:0:b0:50d:2d0f:2e8a with SMTP id j66-20020a62c545000000b0050d2d0f2e8amr25720103pfg.12.1651153512343; Thu, 28 Apr 2022 06:45:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651153512; cv=none; d=google.com; s=arc-20160816; b=RKrhKCBjh9QdmLReUlJ0MgIlzEYocwiCtnpeWpZkH5WgWjBVjvPs3vtOlEWEYhcHPj berJi352yG8WEzyF9VQJNEK14ecXwGSN8rROsiz98eQ0LRcqKDAQ0UylSI8sIYdFeZ9x mbfN82mFSLGZRfpeE5MKhupX8iGziYpK2CQRdxMXa70VQjVh2FZ7CckhOeM3flTOWN6I wm+CMgj8KxPgo7O2gePgWGEeDMzDW9bGD6Z3AajunHR5Uo/d8Qz/A0/WovuPpUavVRog Tqjm7LdI1Ku9duAIkkYBIDMOR125j1f8A6+aKtyAwlvBDLSxI8s0H7fqRpA6hrKc7bu8 PGng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=idYPBCl93GyhPX+9D1oV7QNbvep2cOHR/Nz7yD1v+Q8=; b=LPyhumLJE7jH0IH0qS+6N4h/LVMBwSuFgzYcuz5mWvypUmUhQLoBL/nVEHQF+1fiq1 cJaEEkjrVKkRkomKg2kG3HMn/S6CU2r1LRawI6MLpph+fWia9MaLwcxnbgBUOMURqPrG TBVrRVXZnq5CnlpwsbSrlAhOLqymfE5pM26UVheZ46b5EstjrdDJAiSrmEcpvArQMz45 OD44eewmqnQ9DWc2RNhSXedo7KW8HvfxgF8wT4fYbs+KS2IwkZnQJIf7kJR9IiXVIWxD KUwp5XgkgxdDZWUYJ+Mh+ZPAxNadV6AO28L0YKM2X7TfQ4FidQRc3qfG7Njr9uOFccWB ct4A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j18-20020a056a00235200b0050a5d4efbb2si971889pfj.124.2022.04.28.06.44.55; Thu, 28 Apr 2022 06:45:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233505AbiD1KQ5 (ORCPT + 99 others); Thu, 28 Apr 2022 06:16:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232896AbiD1KQ2 (ORCPT ); Thu, 28 Apr 2022 06:16:28 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7E659B3C51 for ; Thu, 28 Apr 2022 03:07:37 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4699D1477; Thu, 28 Apr 2022 03:07:37 -0700 (PDT) Received: from bogus (unknown [10.57.11.83]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D1E0D3F774; Thu, 28 Apr 2022 03:07:34 -0700 (PDT) Date: Thu, 28 Apr 2022 11:07:29 +0100 From: Sudeep Holla To: Cristian Marussi Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, james.quinlan@broadcom.com, Jonathan.Cameron@Huawei.com, f.fainelli@gmail.com, etienne.carriere@linaro.org, vincent.guittot@linaro.org, souvik.chakravarty@arm.com Subject: Re: [PATCH 04/22] firmware: arm_scmi: Validate BASE_DISCOVER_LIST_PROTOCOLS reply Message-ID: <20220428100729.qlzl5lkkn2r5u3ra@bogus> References: <20220330150551.2573938-1-cristian.marussi@arm.com> <20220330150551.2573938-5-cristian.marussi@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220330150551.2573938-5-cristian.marussi@arm.com> X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 30, 2022 at 04:05:33PM +0100, Cristian Marussi wrote: > Do not blindly trust SCMI backend server reply about list of implemented > protocols, instead validate the reported length of the list of protocols > against the real payload size of the message reply. > > Fixes: b6f20ff8bd9 ("firmware: arm_scmi: add common infrastructure and support for base protocol") > Signed-off-by: Cristian Marussi > --- > drivers/firmware/arm_scmi/base.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c > index f279146f8110..c1165d1282ef 100644 > --- a/drivers/firmware/arm_scmi/base.c > +++ b/drivers/firmware/arm_scmi/base.c > @@ -189,6 +189,9 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph, > list = t->rx.buf + sizeof(*num_ret); > > do { > + size_t real_list_sz; > + u32 calc_list_sz; > + > /* Set the number of protocols to be skipped/already read */ > *num_skip = cpu_to_le32(tot_num_ret); > > @@ -202,6 +205,24 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph, > break; > } > > + if (t->rx.len < (sizeof(u32) * 2)) { > + dev_err(dev, "Truncated reply - rx.len:%zd\n", > + t->rx.len); > + ret = -EPROTO; > + break; > + } > + > + real_list_sz = t->rx.len - sizeof(u32); > + calc_list_sz = ((loop_num_ret / sizeof(u32)) + > + !!(loop_num_ret % sizeof(u32))) * sizeof(u32); Any reason this can't be (loop_num_ret - 1) / sizeof(u32) + 1 ? -- Regards, Sudeep