From: Michael Bommarito <michael.bommarito@gmail.com>
To: Mika Westerberg <westeri@kernel.org>,
Andreas Noever <andreas.noever@gmail.com>,
Yehezkel Bernat <YehezkelShB@gmail.com>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 1/6] thunderbolt: reject zero-length property entries in validator
Date: Mon, 25 May 2026 05:28:25 -0400 [thread overview]
Message-ID: <20260525092830.735472-2-michael.bommarito@gmail.com> (raw)
In-Reply-To: <20260525092830.735472-1-michael.bommarito@gmail.com>
tb_property_entry_valid() accepts entries with length == 0 for
DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes
validation but causes an underflow in the null-termination logic:
property->value.text[property->length * 4 - 1] = '\0';
When property->length is 0 this writes to offset -1 relative to
the allocation.
Reject zero-length entries early in the validator since they have no
valid representation in the XDomain property protocol.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
drivers/thunderbolt/property.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c
index da2c59a17db5c..5cbc1c4f159c2 100644
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -60,6 +60,8 @@ static bool tb_property_entry_valid(const struct tb_property_entry *entry,
case TB_PROPERTY_TYPE_DIRECTORY:
case TB_PROPERTY_TYPE_DATA:
case TB_PROPERTY_TYPE_TEXT:
+ if (!entry->length)
+ return false;
if (entry->length > block_len)
return false;
if (check_add_overflow(entry->value, entry->length, &end) ||
base-commit: 928abe19fbf0127003abcb1ea69cabc1c897d0ab
--
2.53.0
next prev parent reply other threads:[~2026-05-25 9:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 9:28 [PATCH 0/6] thunderbolt: harden XDomain property exchange Michael Bommarito
2026-05-25 9:28 ` Michael Bommarito [this message]
2026-05-25 9:28 ` [PATCH 2/6] thunderbolt: bound root directory content to block size Michael Bommarito
2026-05-25 9:28 ` [PATCH 3/6] thunderbolt: clamp XDomain response data copy to allocation size Michael Bommarito
2026-05-25 9:28 ` [PATCH 4/6] thunderbolt: validate XDomain request packet size before type cast Michael Bommarito
2026-05-25 9:28 ` [PATCH 5/6] thunderbolt: limit XDomain response copy to actual frame size Michael Bommarito
2026-05-25 9:28 ` [PATCH 6/6] thunderbolt: test: add KUnit tests for property parser bounds checks Michael Bommarito
2026-05-26 13:32 ` [PATCH 0/6] thunderbolt: harden XDomain property exchange Mika Westerberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525092830.735472-2-michael.bommarito@gmail.com \
--to=michael.bommarito@gmail.com \
--cc=YehezkelShB@gmail.com \
--cc=andreas.noever@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=westeri@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.