Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp2626789rdd; Fri, 12 Jan 2024 16:25:53 -0800 (PST) X-Google-Smtp-Source: AGHT+IHLo0/Kki1qTtQW1D4o1QT59JxciZ3kitTQAzw9fcTQDHeqzkY7Im95mPZBzheGH1Du/UGL X-Received: by 2002:a05:6808:4497:b0:3bb:d83a:99a8 with SMTP id eq23-20020a056808449700b003bbd83a99a8mr2523247oib.58.1705105552819; Fri, 12 Jan 2024 16:25:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705105552; cv=none; d=google.com; s=arc-20160816; b=ZXDIt/sISyh2FAaSlxZtPZ/z3VS8g3BI+cxu4EydLgoR9lt9JpOui+ndJPQu5Es+Dc MQQ/trivOGmmDkGvml06cFdCRRPVCIkVJsoMk8kInl7pIttn8DJcso3LQtZcJxOpQMBF 9j9wU/rsCiqIM86q8SiYt5qHrNsY/D8H0tYrlqqdwJYoLbE5Jyt0ZwCQI9CfwkoYkFC0 tLDRUILkc2xEiUcXAH6E8Epc6G0T88JGjHBv2MMzl2w8fWbQj2MkMxxkTyXaHraGbPRk phveWoaCv0BRWhwdp8r4bnPoSsi3x76sxJf0WWLYBNPd7uqkABBhawjvjpGgKOTGj0n/ yELg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature:dkim-signature; bh=llJkPYV5jeYOy9aHiG/8PJePMPfFmAmBUSss2Ss3Zo0=; fh=CSHXrmG8rZFXrqC9vrPDZcrD1G47O7Wa2X3nZll/K0s=; b=yslVbx22yu/fLL1nzO5Z9b1EvXdq8Y8R1SqmkypGqfib8Pz43AeoJq0uN47hWcOIAW U47d70A4us/pEV6tN4O3xI/OnKWaEsnweuQ71qua80LIOrczjIvPi6+L22ulQkNm4kh/ h0fGbeSWxkX7EljuGSoonkZN+fYXDvC5oEiPqY5OciWdUiBcGqGah4UkbXKSgWFgW2pb qvTOUz6obIXuEAxkNWrziZOk9Dx8E3hf8o7zKQbB6I6X2mkO4Yh8SBdFCFK/SAKxoH3T ypdn2mSqDZ41ktt4jv3sB1FlOOxzkaz9Ko1co5Q5QUvPbnGx6l90sqYcpY+NMHLk87Zv ngbQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=rdKavcU9; dkim=pass header.i=@suse.com header.s=susede1 header.b=cF5g6XDE; spf=pass (google.com: domain of linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id b6-20020a63cf46000000b005ca4098bf5fsi4384475pgj.620.2024.01.12.16.25.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jan 2024 16:25:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=rdKavcU9; dkim=pass header.i=@suse.com header.s=susede1 header.b=cF5g6XDE; spf=pass (google.com: domain of linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id EC831283D48 for ; Sat, 13 Jan 2024 00:25:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1B228632; Sat, 13 Jan 2024 00:25:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="rdKavcU9"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="cF5g6XDE" Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42376366; Sat, 13 Jan 2024 00:25:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id E803C222E3; Sat, 13 Jan 2024 00:25:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1705105510; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=llJkPYV5jeYOy9aHiG/8PJePMPfFmAmBUSss2Ss3Zo0=; b=rdKavcU9ZgLcsQev/eu1Abe5xB9BgJn96sugN3iNDcDC6LDrOCPY5A0sn8MmpRw2d6z8Et lFxXFBsYrZ3j+r5cQYFRSuwbsB8WiGzCT93HRRo5RGKKIQ4ducGa6QWnXmWnFGM9CNig3d CWMSzL2xEVrggx3Ex0tkdNzlVXR2bdE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1705105509; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=llJkPYV5jeYOy9aHiG/8PJePMPfFmAmBUSss2Ss3Zo0=; b=cF5g6XDEUa0GznWCk7ht5oyccWtOrAerizvUlfp+KwoKPoKRRKP6snvmEDPOyRbxad6m6E XS9s2yrt4inybcTl+Ma2ydWgvOPcgn1NM1hJqPL0Mg5x2aDFRhYpREO4f4XsOn3kOOI2kp IfSn6hXCViwkeyCxM93T/G77VSLs+hA= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id A08C213676; Sat, 13 Jan 2024 00:25:09 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id mm98JWXYoWXIGQAAD6G6ig (envelope-from ); Sat, 13 Jan 2024 00:25:09 +0000 From: =?UTF-8?q?Michal=20Koutn=C3=BD?= To: linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Bjorn Andersson , Konrad Dybcio , Mathieu Poirier , afaerber@suse.com, ivan.ivanov@suse.com Subject: [RFC PATCH] rpmsg: glink: Add bounds check on tx path Date: Sat, 13 Jan 2024 01:25:05 +0100 Message-ID: <20240113002505.15503-1-mkoutny@suse.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Authentication-Results: smtp-out1.suse.de; none X-Spam-Level: X-Spam-Score: -0.30 X-Spamd-Result: default: False [-0.30 / 50.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_THREE(0.00)[3]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; NEURAL_HAM_SHORT(-0.20)[-1.000]; RCPT_COUNT_SEVEN(0.00)[8]; MID_CONTAINS_FROM(1.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO Add bounds check on values read from shared memory in the tx path. In cases where the VM is misbehaving, the transport should exit and print a warning when bogus values may cause out of bounds to be read. Link: https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/32d9c3a2f2b6a4d1fc48d6871194f3faf3184e8b Suggested-by: Chris Lew Suggested-by: Sarannya S Signed-off-by: Michal Koutný --- drivers/rpmsg/qcom_glink_smem.c | 9 +++++++++ 1 file changed, 9 insertions(+) Why RFC? The patch is adopted from the link above. It would be good to asses whether such conditions can also happen with rpmsg glink. (And if so, whether the zeroed values are the best correction.) diff --git a/drivers/rpmsg/qcom_glink_smem.c b/drivers/rpmsg/qcom_glink_smem.c index 7a982c60a8dd..3e786e590c03 100644 --- a/drivers/rpmsg/qcom_glink_smem.c +++ b/drivers/rpmsg/qcom_glink_smem.c @@ -146,6 +146,11 @@ static size_t glink_smem_tx_avail(struct qcom_glink_pipe *np) else avail -= FIFO_FULL_RESERVE + TX_BLOCKED_CMD_RESERVE; + if (avail > pipe->native.length) { + pr_warn_once("%s: avail clamped\n", __func__); + avail = 0; + } + return avail; } @@ -177,6 +182,10 @@ static void glink_smem_tx_write(struct qcom_glink_pipe *glink_pipe, unsigned int head; head = le32_to_cpu(*pipe->head); + if (head > pipe->native.length) { + pr_warn_once("%s: head overflow\n", __func__); + return; + } head = glink_smem_tx_write_one(pipe, head, hdr, hlen); head = glink_smem_tx_write_one(pipe, head, data, dlen); -- 2.43.0