From: Michael Bommarito <michael.bommarito@gmail.com>
To: Mika Westerberg <westeri@kernel.org>,
Andreas Noever <andreas.noever@gmail.com>,
Yehezkel Bernat <YehezkelShB@gmail.com>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 4/6] thunderbolt: validate XDomain request packet size before type cast
Date: Mon, 25 May 2026 05:28:28 -0400 [thread overview]
Message-ID: <20260525092830.735472-5-michael.bommarito@gmail.com> (raw)
In-Reply-To: <20260525092830.735472-1-michael.bommarito@gmail.com>
tb_xdp_handle_request() casts the received packet buffer to
protocol-specific structs without verifying that the allocation
is large enough for the target type. A peer can send a minimal
XDomain packet that passes the generic header length check but is
shorter than the struct accessed after the cast, causing out-of-
bounds reads from the kmemdup allocation.
Plumb the packet length through xdomain_request_work and validate
it against the expected struct size before each cast.
Fixes: 8e1de7042596 ("thunderbolt: Add support for XDomain lane bonding")
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
Stock KASAN splat reproduced on QEMU (7.1.0-rc3). A test module
allocates a 32-byte packet (tb_xdp_header only) and casts to
tb_xdp_link_state_change (36 bytes). The read past the allocation
fires immediately:
BUG: KASAN: slab-out-of-bounds in
tb_test_xdp_short_packet_cast_trigger.cold+0x118/0x12d
Read of size 1 at addr ffff888002110260
located 0 bytes to the right of allocated 32-byte region
Also exercised over Thunderbolt 4 cable with 258 truncated-packet
injections (PROPERTIES_REQUEST 68 -> 32 bytes).
drivers/thunderbolt/xdomain.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
index 4099419c74795..9d54e3ccc8278 100644
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -55,6 +55,7 @@ static const char * const state_names[] = {
struct xdomain_request_work {
struct work_struct work;
struct tb_xdp_header *pkg;
+ size_t pkg_len;
struct tb *tb;
};
@@ -733,6 +734,7 @@ static void tb_xdp_handle_request(struct work_struct *work)
struct xdomain_request_work *xw = container_of(work, typeof(*xw), work);
const struct tb_xdp_header *pkg = xw->pkg;
const struct tb_xdomain_header *xhdr = &pkg->xd_hdr;
+ size_t pkg_len = xw->pkg_len;
struct tb *tb = xw->tb;
struct tb_ctl *ctl = tb->ctl;
struct tb_xdomain *xd;
@@ -764,7 +766,7 @@ static void tb_xdp_handle_request(struct work_struct *work)
switch (pkg->type) {
case PROPERTIES_REQUEST:
tb_dbg(tb, "%llx: received XDomain properties request\n", route);
- if (xd) {
+ if (xd && pkg_len >= sizeof(struct tb_xdp_properties)) {
ret = tb_xdp_properties_response(tb, ctl, xd, sequence,
(const struct tb_xdp_properties *)pkg);
}
@@ -818,7 +820,8 @@ static void tb_xdp_handle_request(struct work_struct *work)
tb_dbg(tb, "%llx: received XDomain link state change request\n",
route);
- if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH) {
+ if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH &&
+ pkg_len >= sizeof(struct tb_xdp_link_state_change)) {
const struct tb_xdp_link_state_change *lsc =
(const struct tb_xdp_link_state_change *)pkg;
@@ -870,6 +873,7 @@ tb_xdp_schedule_request(struct tb *tb, const struct tb_xdp_header *hdr,
kfree(xw);
return false;
}
+ xw->pkg_len = size;
xw->tb = tb_domain_get(tb);
schedule_work(&xw->work);
--
2.53.0
next prev parent reply other threads:[~2026-05-25 9:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 9:28 [PATCH 0/6] thunderbolt: harden XDomain property exchange Michael Bommarito
2026-05-25 9:28 ` [PATCH 1/6] thunderbolt: reject zero-length property entries in validator Michael Bommarito
2026-05-25 9:28 ` [PATCH 2/6] thunderbolt: bound root directory content to block size Michael Bommarito
2026-05-25 9:28 ` [PATCH 3/6] thunderbolt: clamp XDomain response data copy to allocation size Michael Bommarito
2026-05-25 9:28 ` Michael Bommarito [this message]
2026-05-25 9:28 ` [PATCH 5/6] thunderbolt: limit XDomain response copy to actual frame size Michael Bommarito
2026-05-25 9:28 ` [PATCH 6/6] thunderbolt: test: add KUnit tests for property parser bounds checks Michael Bommarito
2026-05-26 13:32 ` [PATCH 0/6] thunderbolt: harden XDomain property exchange Mika Westerberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525092830.735472-5-michael.bommarito@gmail.com \
--to=michael.bommarito@gmail.com \
--cc=YehezkelShB@gmail.com \
--cc=andreas.noever@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=westeri@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.