Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp2626789rdd;
        Fri, 12 Jan 2024 16:25:53 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHLo0/Kki1qTtQW1D4o1QT59JxciZ3kitTQAzw9fcTQDHeqzkY7Im95mPZBzheGH1Du/UGL
X-Received: by 2002:a05:6808:4497:b0:3bb:d83a:99a8 with SMTP id eq23-20020a056808449700b003bbd83a99a8mr2523247oib.58.1705105552819;
        Fri, 12 Jan 2024 16:25:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1705105552; cv=none;
        d=google.com; s=arc-20160816;
        b=ZXDIt/sISyh2FAaSlxZtPZ/z3VS8g3BI+cxu4EydLgoR9lt9JpOui+ndJPQu5Es+Dc
         MQQ/trivOGmmDkGvml06cFdCRRPVCIkVJsoMk8kInl7pIttn8DJcso3LQtZcJxOpQMBF
         9j9wU/rsCiqIM86q8SiYt5qHrNsY/D8H0tYrlqqdwJYoLbE5Jyt0ZwCQI9CfwkoYkFC0
         tLDRUILkc2xEiUcXAH6E8Epc6G0T88JGjHBv2MMzl2w8fWbQj2MkMxxkTyXaHraGbPRk
         phveWoaCv0BRWhwdp8r4bnPoSsi3x76sxJf0WWLYBNPd7uqkABBhawjvjpGgKOTGj0n/
         yELg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature:dkim-signature;
        bh=llJkPYV5jeYOy9aHiG/8PJePMPfFmAmBUSss2Ss3Zo0=;
        fh=CSHXrmG8rZFXrqC9vrPDZcrD1G47O7Wa2X3nZll/K0s=;
        b=yslVbx22yu/fLL1nzO5Z9b1EvXdq8Y8R1SqmkypGqfib8Pz43AeoJq0uN47hWcOIAW
         U47d70A4us/pEV6tN4O3xI/OnKWaEsnweuQ71qua80LIOrczjIvPi6+L22ulQkNm4kh/
         h0fGbeSWxkX7EljuGSoonkZN+fYXDvC5oEiPqY5OciWdUiBcGqGah4UkbXKSgWFgW2pb
         qvTOUz6obIXuEAxkNWrziZOk9Dx8E3hf8o7zKQbB6I6X2mkO4Yh8SBdFCFK/SAKxoH3T
         ypdn2mSqDZ41ktt4jv3sB1FlOOxzkaz9Ko1co5Q5QUvPbnGx6l90sqYcpY+NMHLk87Zv
         ngbQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=rdKavcU9;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=cF5g6XDE;
       spf=pass (google.com: domain of linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Return-Path: <linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id b6-20020a63cf46000000b005ca4098bf5fsi4384475pgj.620.2024.01.12.16.25.52
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 Jan 2024 16:25:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=rdKavcU9;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=cF5g6XDE;
       spf=pass (google.com: domain of linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-25128-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id EC831283D48
	for <linux.lists.archive@gmail.com>; Sat, 13 Jan 2024 00:25:21 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1B228632;
	Sat, 13 Jan 2024 00:25:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="rdKavcU9";
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="cF5g6XDE"
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42376366;
	Sat, 13 Jan 2024 00:25:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-out1.suse.de (Postfix) with ESMTPS id E803C222E3;
	Sat, 13 Jan 2024 00:25:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1705105510; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=llJkPYV5jeYOy9aHiG/8PJePMPfFmAmBUSss2Ss3Zo0=;
	b=rdKavcU9ZgLcsQev/eu1Abe5xB9BgJn96sugN3iNDcDC6LDrOCPY5A0sn8MmpRw2d6z8Et
	lFxXFBsYrZ3j+r5cQYFRSuwbsB8WiGzCT93HRRo5RGKKIQ4ducGa6QWnXmWnFGM9CNig3d
	CWMSzL2xEVrggx3Ex0tkdNzlVXR2bdE=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1705105509; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=llJkPYV5jeYOy9aHiG/8PJePMPfFmAmBUSss2Ss3Zo0=;
	b=cF5g6XDEUa0GznWCk7ht5oyccWtOrAerizvUlfp+KwoKPoKRRKP6snvmEDPOyRbxad6m6E
	XS9s2yrt4inybcTl+Ma2ydWgvOPcgn1NM1hJqPL0Mg5x2aDFRhYpREO4f4XsOn3kOOI2kp
	IfSn6hXCViwkeyCxM93T/G77VSLs+hA=
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id A08C213676;
	Sat, 13 Jan 2024 00:25:09 +0000 (UTC)
Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id mm98JWXYoWXIGQAAD6G6ig
	(envelope-from <mkoutny@suse.com>); Sat, 13 Jan 2024 00:25:09 +0000
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
To: linux-arm-msm@vger.kernel.org,
	linux-remoteproc@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Bjorn Andersson <andersson@kernel.org>,
	Konrad Dybcio <konrad.dybcio@linaro.org>,
	Mathieu Poirier <mathieu.poirier@linaro.org>,
	afaerber@suse.com,
	ivan.ivanov@suse.com
Subject: [RFC PATCH] rpmsg: glink: Add bounds check on tx path
Date: Sat, 13 Jan 2024 01:25:05 +0100
Message-ID: <20240113002505.15503-1-mkoutny@suse.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Authentication-Results: smtp-out1.suse.de;
	none
X-Spam-Level: 
X-Spam-Score: -0.30
X-Spamd-Result: default: False [-0.30 / 50.00];
	 ARC_NA(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 FROM_HAS_DN(0.00)[];
	 TO_DN_SOME(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.10)[text/plain];
	 RCVD_COUNT_THREE(0.00)[3];
	 DKIM_SIGNED(0.00)[suse.com:s=susede1];
	 NEURAL_HAM_SHORT(-0.20)[-1.000];
	 RCPT_COUNT_SEVEN(0.00)[8];
	 MID_CONTAINS_FROM(1.00)[];
	 DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email];
	 FUZZY_BLOCKED(0.00)[rspamd.com];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 RCVD_TLS_ALL(0.00)[]
X-Spam-Flag: NO

Add bounds check on values read from shared memory in the tx path. In
cases where the VM is misbehaving, the transport should exit and print a
warning when bogus values may cause out of bounds to be read.

Link: https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/32d9c3a2f2b6a4d1fc48d6871194f3faf3184e8b
Suggested-by: Chris Lew <quic_clew@quicinc.com>
Suggested-by: Sarannya S <quic_sarannya@quicinc.com>
Signed-off-by: Michal Koutný <mkoutny@suse.com>
---
 drivers/rpmsg/qcom_glink_smem.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Why RFC? The patch is adopted from the link above. It would be good to
asses whether such conditions can also happen with rpmsg glink.
(And if so, whether the zeroed values are the best correction.)

diff --git a/drivers/rpmsg/qcom_glink_smem.c b/drivers/rpmsg/qcom_glink_smem.c
index 7a982c60a8dd..3e786e590c03 100644
--- a/drivers/rpmsg/qcom_glink_smem.c
+++ b/drivers/rpmsg/qcom_glink_smem.c
@@ -146,6 +146,11 @@ static size_t glink_smem_tx_avail(struct qcom_glink_pipe *np)
 	else
 		avail -= FIFO_FULL_RESERVE + TX_BLOCKED_CMD_RESERVE;
 
+	if (avail > pipe->native.length) {
+		pr_warn_once("%s: avail clamped\n", __func__);
+		avail = 0;
+	}
+
 	return avail;
 }
 
@@ -177,6 +182,10 @@ static void glink_smem_tx_write(struct qcom_glink_pipe *glink_pipe,
 	unsigned int head;
 
 	head = le32_to_cpu(*pipe->head);
+	if (head > pipe->native.length) {
+		pr_warn_once("%s: head overflow\n", __func__);
+		return;
+	}
 
 	head = glink_smem_tx_write_one(pipe, head, hdr, hlen);
 	head = glink_smem_tx_write_one(pipe, head, data, dlen);
-- 
2.43.0