From: Michael Bommarito <michael.bommarito@gmail.com>
To: Mika Westerberg <westeri@kernel.org>,
Andreas Noever <andreas.noever@gmail.com>,
Yehezkel Bernat <YehezkelShB@gmail.com>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 3/6] thunderbolt: clamp XDomain response data copy to allocation size
Date: Mon, 25 May 2026 05:28:27 -0400 [thread overview]
Message-ID: <20260525092830.735472-4-michael.bommarito@gmail.com> (raw)
In-Reply-To: <20260525092830.735472-1-michael.bommarito@gmail.com>
tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.
Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
Confirmed over Thunderbolt 4 cable (Framework -> Dell, stock Ubuntu
26.04 7.0.0-15-generic).
Also reproduced with KASAN on QEMU (7.1.0-rc3):
BUG: KASAN: slab-out-of-bounds in
tb_test_synthetic_overflow.cold+0x131/0x29a
Write of size 192 at addr ffff888002110200
drivers/thunderbolt/xdomain.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
index 754808c43f006..4099419c74795 100644
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -393,6 +393,8 @@ static int tb_xdp_properties_request(struct tb_ctl *ctl, u64 route,
}
}
+ if (req.offset + len > data_len)
+ len = data_len - req.offset;
memcpy(data + req.offset, res->data, len * 4);
req.offset += len;
} while (!data_len || req.offset < data_len);
--
2.53.0
next prev parent reply other threads:[~2026-05-25 9:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 9:28 [PATCH 0/6] thunderbolt: harden XDomain property exchange Michael Bommarito
2026-05-25 9:28 ` [PATCH 1/6] thunderbolt: reject zero-length property entries in validator Michael Bommarito
2026-05-25 9:28 ` [PATCH 2/6] thunderbolt: bound root directory content to block size Michael Bommarito
2026-05-25 9:28 ` Michael Bommarito [this message]
2026-05-25 9:28 ` [PATCH 4/6] thunderbolt: validate XDomain request packet size before type cast Michael Bommarito
2026-05-25 9:28 ` [PATCH 5/6] thunderbolt: limit XDomain response copy to actual frame size Michael Bommarito
2026-05-25 9:28 ` [PATCH 6/6] thunderbolt: test: add KUnit tests for property parser bounds checks Michael Bommarito
2026-05-26 13:32 ` [PATCH 0/6] thunderbolt: harden XDomain property exchange Mika Westerberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525092830.735472-4-michael.bommarito@gmail.com \
--to=michael.bommarito@gmail.com \
--cc=YehezkelShB@gmail.com \
--cc=andreas.noever@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=westeri@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.