Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp2007806rdb; Thu, 7 Dec 2023 15:41:33 -0800 (PST) X-Google-Smtp-Source: AGHT+IH2DuzShTaXa+gI+em/oGDAcY14FTeF+2iTB5Q4ouQsBU1LvDCSlDvTLKRlBaPu0xOT3orA X-Received: by 2002:a05:6870:2189:b0:1fb:75b:12f0 with SMTP id l9-20020a056870218900b001fb075b12f0mr3610144oae.66.1701992492825; Thu, 07 Dec 2023 15:41:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701992492; cv=none; d=google.com; s=arc-20160816; b=kF532c25UMRPLFOl0sbeQpHiIs1K7QDD1dYbKRvcs7aI16qhX+CAUJpZtVczRF7zxG v498do7K98FyKIyg0eN2lfXz0QqESH2OzYusc8I1lFS9vmfTfFWNfB+bTCFmWxsQCwDm BQydNTvPZGKWDKeHPrawtP6UvDAEfYeNFM90+9ZW1pB0QZghHlnuGPEPwD/LMMBVqWDJ s8bcYx889EQKq0ACmFGAXIMn7OcmQ1bF4JvNbhEgoV/5YCVownbxvf4Jc8Z/Z9uy4HRB ddu7G+HQ5fDD6iZjcwBXyIs4cXCVHva3QWKh6/dDjsd51boPYOitPFWHvCCgpd1djdbS luvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=3Fyv8OnmqxBaiCz6uYK3kIsXhEExm0dyxwvmviyPv6c=; fh=7VrMMHoNCKJYYGFP1i4gU88Cl2/qrklcas66CR2Kdtw=; b=V3woB+Iux4YNA0V+SsC7wgGAQlowMJUk8tOXlnO3rO2igxA10fPb7242eSWeU2cbf7 IRX4XqkPP8qRDDJusALdyqhY3aQqsTD1LwblhuANYBYevjVt3Wx0YdDPmGEU6/tIwaGM fcMYRnGwgaSe3v0i8rzgqY/iMR5Jts8YyTFHphT01QSPDWL6FU8q+ZRA4pY6hr0S8OAX PqYhApJ1DfEUZ+RWRAUmrWeu7POfSQWLQAQWAoHo4hX+TO2bl2QEMxUUtDWyM+xJ8aa2 z3w0l4ldxv+QG2x6YdB/hwqkw4w7KroUyl6nWnu+Nkz/8hJfocwRu90ALr7/RDHZ2H6X lgwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fVsGFRUV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id k14-20020a6568ce000000b005c65bfc76b7si471546pgt.570.2023.12.07.15.41.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Dec 2023 15:41:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fVsGFRUV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 9F520833AB30; Thu, 7 Dec 2023 15:41:19 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232509AbjLGXlD (ORCPT + 99 others); Thu, 7 Dec 2023 18:41:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231648AbjLGXlB (ORCPT ); Thu, 7 Dec 2023 18:41:01 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A0F2C1718 for ; Thu, 7 Dec 2023 15:41:07 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6F705C433C7; Thu, 7 Dec 2023 23:41:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1701992467; bh=F3yFkrBoPvYgnjqkAbhACfF2pHqxuP+Z8Rav20Zxl9M=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=fVsGFRUVrs4k5SOD5D4kjazODSA2OlpFebdxjWr9QRTQE34EGts47fCXyNNrWcQSu 0we2lGdWGyCpY5jzbRxaB4KUQqrchdbtak2IZLwjdLovJHc3/GG3eT8gF0l+Q6R1wh 8IuMxwKflIvH0bvQJiN1d7xTqY3fXPMM/pitmNzkk+RGGhzwJTAydRSXrNTzJ26iWP IxRs1McwWB/6Dk8gYMrYE1Qf7oxw3aOX3+BzM6i8xjm2+gdBGr8kS7ZFzKTt3QBw1f BOzJRCOAx/r2vMeuFOU+adlKp+RpubHa7AjsTb0KVYC1NaPExMotCjZApyPHR7dpx4 GMeQdBaS7+H0w== Date: Thu, 7 Dec 2023 15:44:25 -0800 From: Bjorn Andersson To: Deepak Kumar Singh Cc: quic_bjorande@quicinc.com, andersson@kernel.org, quic_clew@quicinc.com, mathieu.poirier@linaro.org, linux-kernel@vger.kernel.org, quic_sarannya@quicinc.com, linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, Andy Gross , Konrad Dybcio Subject: Re: [PATCH V1] rpmsg: glink: smem: validate index before fifo read write Message-ID: References: <20231201110631.669085-1-quic_deesin@quicinc.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231201110631.669085-1-quic_deesin@quicinc.com> X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Thu, 07 Dec 2023 15:41:19 -0800 (PST) On Fri, Dec 01, 2023 at 04:36:31PM +0530, Deepak Kumar Singh wrote: > Fifo head and tail index can be modified with wrong values from > untrusted remote procs. Glink smem is not validating these index > before using to read or write fifo. This can result in out of > bound memory access if head and tail have incorrect values. > > Add check for validation of head and tail index. This check will > put index within fifo boundaries, so that no invalid memory access > is made. Further this may result in certain packet drops unless > glink finds a valid packet header in fifo again and recovers. > > Crash signature and calltrace with wrong head and tail values: > > Internal error: Oops: 96000007 [#1] PREEMPT SMP > pc : __memcpy_fromio+0x34/0xb4 > lr : glink_smem_rx_peak+0x68/0x94 > > __memcpy_fromio+0x34/0xb4 > glink_smem_rx_peak+0x68/0x94 > qcom_glink_native_intr+0x90/0x888 > > Signed-off-by: Deepak Kumar Singh > --- > drivers/rpmsg/qcom_glink_smem.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > > diff --git a/drivers/rpmsg/qcom_glink_smem.c b/drivers/rpmsg/qcom_glink_smem.c > index 7a982c60a8dd..9eba0aaae916 100644 > --- a/drivers/rpmsg/qcom_glink_smem.c > +++ b/drivers/rpmsg/qcom_glink_smem.c > @@ -86,9 +86,14 @@ static size_t glink_smem_rx_avail(struct qcom_glink_pipe *np) > tail = le32_to_cpu(*pipe->tail); > > if (head < tail) > - return pipe->native.length - tail + head; > + len = pipe->native.length - tail + head; > else > - return head - tail; > + len = head - tail; > + > + if (WARN_ON_ONCE(len > pipe->native.length)) > + len = 0; > + > + return len; > } > > static void glink_smem_rx_peek(struct qcom_glink_pipe *np, > @@ -99,6 +104,10 @@ static void glink_smem_rx_peek(struct qcom_glink_pipe *np, > u32 tail; > > tail = le32_to_cpu(*pipe->tail); > + > + if (WARN_ON_ONCE(tail > pipe->native.length)) > + return; Just returning here will leave the caller with garbage in @data, which they will act upon. It does avoid the out of bounds read, but I'm not confident in what happens next. > + > tail += offset; > if (tail >= pipe->native.length) > tail -= pipe->native.length; > @@ -121,7 +130,7 @@ static void glink_smem_rx_advance(struct qcom_glink_pipe *np, > > tail += count; > if (tail >= pipe->native.length) > - tail -= pipe->native.length; > + tail %= pipe->native.length; If @tail had a bogus value before we incremented then we now have a completely random value. The next time the FIFO is read these values will be OK and we will return some random values to the caller. > > *pipe->tail = cpu_to_le32(tail); > } > @@ -146,6 +155,9 @@ static size_t glink_smem_tx_avail(struct qcom_glink_pipe *np) > else > avail -= FIFO_FULL_RESERVE + TX_BLOCKED_CMD_RESERVE; > > + if (WARN_ON_ONCE(avail > pipe->native.length)) > + avail = 0; > + > return avail; > } > > @@ -155,6 +167,9 @@ static unsigned int glink_smem_tx_write_one(struct glink_smem_pipe *pipe, > { > size_t len; > > + if (WARN_ON_ONCE(head > pipe->native.length)) > + return head; As above, but with less probability, this might end up adjusting pipe->head (in glink_smem_tx_write()) to a random position within the FIFO - which then upon next access will corrupt the data. This shouldn't cause any direct issues on the Linux side though, we will just corrupt the outgoing FIFO (which probably don't matter given that things are already broken). Regards, Bjorn > + > len = min_t(size_t, count, pipe->native.length - head); > if (len) > memcpy(pipe->fifo + head, data, len); > -- > 2.34.1 >