Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5635597rdb; Wed, 13 Dec 2023 14:59:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IEeZobkDMoQvPXyM9Kq7Ndn/VqSwzhFaGWsythbr6Jik9FdEkNMMhoN3/kruoyaB7JVnpEE X-Received: by 2002:a0d:e6c4:0:b0:5e3:217e:ea8a with SMTP id p187-20020a0de6c4000000b005e3217eea8amr1053798ywe.32.1702508348455; Wed, 13 Dec 2023 14:59:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702508348; cv=none; d=google.com; s=arc-20160816; b=DYR9kS8a8D2nZMx8jSNZLJhjx59J2V+BPFs/2vN4qA4WS7gMRwYnJAXoJ2Pn9jsDzi g+gJpQw2jFSqtddbrdqbRLXGqOIfgH80rzL99XGzMz3o6CCbHSCEqwzSYtBzWTMiuGby ANQ6a4YXv4hWbr1xEY80RmtSimpgOUHiMwMzFCfkRR6lxERZIlF7cnNLWXxVBzssQ6rJ s+JhM4yJwu7VxFu0gqPo/VfpqT7l5SE/9f2DPOAesjg4dVWnqfgDVUUVB3bn3V2NxWDt QGNfNZPxVZKRZCX0h8KyZW20eWZORmcgJaSi9pIRsqYPVFQhY5Yr8thFU3hFx2vAtDu7 dgmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=NP7EFzGzSWr3xJEehuEaHFNBqnTzbp9svuRkZjLJpIg=; fh=IYTbtIid9GYtAGT/BFNitoM5jfPnXZesAXc2my1CvG4=; b=GOVimKpztlpALixgYpWT+kzIawP3Jive9FBABGLo2lU8MLoZrK+cJxhPzEK1wFrjTc ZCR4N/V3w30PkSLG0DnO8zR96ICVkQLzEGqo+eLQ671t7ugNJvaLZdV6ExvEPdk0M/3B CVCu43H/zV55YhICIt46FppGfca4JS3CX2vvcZSgBCSMPb9JG+4dBtTHCXoy5KNmrg/p BYVyG60aMa0BTYNaXpQAywjxSo2mxI1OmsbswY9csVrPq5zzNvcsfJPqbhNYTglbiZL+ kJW52cOMjoRSK5rENQcGrP1iNVZ1hlN3bfmmOgzZKdlRl8mRwVnKRftng+jo9Ynv/7bB yeCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=GmSO81oG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id 19-20020a170902c21300b001cfbd271f2esi9985993pll.7.2023.12.13.14.59.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 14:59:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=GmSO81oG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 1F38F822D141; Wed, 13 Dec 2023 14:59:00 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233930AbjLMW6o (ORCPT + 99 others); Wed, 13 Dec 2023 17:58:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33126 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229763AbjLMW6n (ORCPT ); Wed, 13 Dec 2023 17:58:43 -0500 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B486CF; Wed, 13 Dec 2023 14:58:49 -0800 (PST) Received: from pps.filterd (m0279866.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 3BDMRrH0025021; Wed, 13 Dec 2023 22:58:41 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=qcppdkim1; bh=NP7EFzGzSWr3xJEehuEaH FNBqnTzbp9svuRkZjLJpIg=; b=GmSO81oGf0DHtJzuwuNRWjgAoREqygR+nSh+i SXxnUSDYjdnLSN4DTDAAD4axnGVBDNspMhdmqkZZyzgYr8hZ4MqEJqpTUO/oFNDT YCUtstmKC6/rFsrIOhG5QslktU/zB/1Kn6LSTF7HRKQHqjYylG/k3thv+4FqOTWw ObAWQHVGoYySl1/zzCvPtlhb0uClvCuACTWQDYZIwcaV5seYLRtiyvjgLqvre9md 6/e0ymnvzGBZZbAQE/VzjgYUe+rUYVpnNcWuPpqPcjcFS2Isc2Ae5RFS5eA5lvAb MUBYmvwzKtVplu25cX/Y9/5hXyigSis7mIZj6ut6blg8Svetg== Received: from nalasppmta04.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3uy32naqjf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Dec 2023 22:58:40 +0000 (GMT) Received: from nalasex01c.na.qualcomm.com (nalasex01c.na.qualcomm.com [10.47.97.35]) by NALASPPMTA04.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 3BDMwenj020451 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Dec 2023 22:58:40 GMT Received: from hu-bjorande-lv.qualcomm.com (10.49.16.6) by nalasex01c.na.qualcomm.com (10.47.97.35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Wed, 13 Dec 2023 14:58:39 -0800 Date: Wed, 13 Dec 2023 14:58:38 -0800 From: Bjorn Andersson To: Hardevsinh Palaniya CC: "agross@kernel.org" , "andersson@kernel.org" , Konrad Dybcio , Mathieu Poirier , "linux-arm-msm@vger.kernel.org" , "linux-remoteproc@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] rpmsg: glink: Fix buffer overflow Message-ID: <20231213225838.GQ1766637@hu-bjorande-lv.qualcomm.com> References: <20231211160221.2843339-1-hardevsinh.palaniya@siliconsignals.io> <20231211184010.GM1766637@hu-bjorande-lv.qualcomm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: X-Originating-IP: [10.49.16.6] X-ClientProxiedBy: nalasex01b.na.qualcomm.com (10.47.209.197) To nalasex01c.na.qualcomm.com (10.47.97.35) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: 7Y1GNvv0MyO9zVXySLREKgiMNY4YodMg X-Proofpoint-GUID: 7Y1GNvv0MyO9zVXySLREKgiMNY4YodMg X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-09_01,2023-12-07_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 adultscore=0 spamscore=0 clxscore=1015 mlxlogscore=825 priorityscore=1501 mlxscore=0 lowpriorityscore=0 bulkscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2312130162 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Wed, 13 Dec 2023 14:59:00 -0800 (PST) On Wed, Dec 13, 2023 at 03:15:15PM +0000, Hardevsinh Palaniya wrote: > Hello [1]@Bjorn Andersson, Please use appropriate mail list etiquette, and avoid HTML and top-posting in your responses. > > "strscpy_pad" itself takes care of null-terminated strings. So, there > will be no leak. Your strscpy_pad() will NUL-terminate and zero-pad up to 32 bytes. Following this the next line will write strlen(name) + sizeof(hdr) bytes to the FIFO. So if strlen(name) >= 32 you will read beyond the end of the zero-padded string. Regards, Bjorn > __________________________________________________________________ > > From: Bjorn Andersson > Sent: Tuesday, December 12, 2023 12:10 AM > To: Hardevsinh Palaniya > Cc: agross@kernel.org ; andersson@kernel.org > ; Konrad Dybcio ; > Mathieu Poirier ; > linux-arm-msm@vger.kernel.org ; > linux-remoteproc@vger.kernel.org ; > linux-kernel@vger.kernel.org > Subject: Re: [PATCH] rpmsg: glink: Fix buffer overflow > > On Mon, Dec 11, 2023 at 09:32:20PM +0530, Hardevsinh Palaniya wrote: > > In qcom_glink_send_open_req() remove error: strcpy() 'channel->name' > > too large for 'req.name' (1010102 vs 32) > > > As far as I can tell, channel->name comes from the struct > rpmsg_channel_info->name, which is a 32-byte array, and all code paths > I > can find either uses strscpy() or explicitly NUL-terminates this > string. > I'm curious to know which path took us here. > > Signed-off-by: Hardevsinh Palaniya > > > > > diff --git a/drivers/rpmsg/qcom_glink_native.c > b/drivers/rpmsg/qcom_glink_native.c > > index 82d460ff4777..2d6a592e1c72 100644 > > --- a/drivers/rpmsg/qcom_glink_native.c > > +++ b/drivers/rpmsg/qcom_glink_native.c > > @@ -479,7 +479,7 @@ static int qcom_glink_send_open_req(struct > qcom_glink *glink, > > req.msg.cmd = cpu_to_le16(GLINK_CMD_OPEN); > > req.msg.param1 = cpu_to_le16(channel->lcid); > > req.msg.param2 = cpu_to_le32(name_len); > > - strcpy(req.name, channel->name); > > + strscpy_pad(req.name, channel->name, sizeof(req.name)); > I think this patch is incomplete. While it makes sure we don't > overwrite > the stack. name_len is strlen(channel->name) + 1 and the amount of data > sent out is based on name_len. > As such, if you can get here with a @name of arbitrary length, then you > can control how much of the stack we're going to now leak to the > recipient. > Regards, > Bjorn > > > > ret = qcom_glink_tx(glink, &req, req_len, NULL, 0, true); > > if (ret) > > -- > > 2.25.1 > > > > > > References > > 1. mailto:quic_bjorande@quicinc.com