From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Hemant Kumar <hemantk@codeaurora.org>,
Bhaumik Bhatt <bbhatt@codeaurora.org>,
Jeffrey Hugo <jhugo@codeaurora.org>,
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-arm-msm@vger.kernel.org
Subject: [PATCH AUTOSEL 5.7 256/388] bus: mhi: core: Read transfer length from an event properly
Date: Wed, 17 Jun 2020 21:05:53 -0400 [thread overview]
Message-ID: <20200618010805.600873-256-sashal@kernel.org> (raw)
In-Reply-To: <20200618010805.600873-1-sashal@kernel.org>
From: Hemant Kumar <hemantk@codeaurora.org>
[ Upstream commit ee75cedf82d832561af8ba8380aeffd00a9eea77 ]
When MHI Driver receives an EOT event, it reads xfer_len from the
event in the last TRE. The value is under control of the MHI device
and never validated by Host MHI driver. The value should never be
larger than the real size of the buffer but a malicious device can
set the value 0xFFFF as maximum. This causes driver to memory
overflow (both read or write). Fix this issue by reading minimum of
transfer length from event and the buffer length provided.
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org>
Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20200521170249.21795-5-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/mhi/core/main.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c
index 97e06cc586e4..8be3d0fb0614 100644
--- a/drivers/bus/mhi/core/main.c
+++ b/drivers/bus/mhi/core/main.c
@@ -513,7 +513,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl,
mhi_cntrl->unmap_single(mhi_cntrl, buf_info);
result.buf_addr = buf_info->cb_buf;
- result.bytes_xferd = xfer_len;
+
+ /* truncate to buf len if xfer_len is larger */
+ result.bytes_xferd =
+ min_t(u16, xfer_len, buf_info->len);
mhi_del_ring_element(mhi_cntrl, buf_ring);
mhi_del_ring_element(mhi_cntrl, tre_ring);
local_rp = tre_ring->rp;
@@ -597,7 +600,9 @@ static int parse_rsc_event(struct mhi_controller *mhi_cntrl,
result.transaction_status = (ev_code == MHI_EV_CC_OVERFLOW) ?
-EOVERFLOW : 0;
- result.bytes_xferd = xfer_len;
+
+ /* truncate to buf len if xfer_len is larger */
+ result.bytes_xferd = min_t(u16, xfer_len, buf_info->len);
result.buf_addr = buf_info->cb_buf;
result.dir = mhi_chan->dir;
--
2.25.1
next prev parent reply other threads:[~2020-06-18 2:37 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200618010805.600873-1-sashal@kernel.org>
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 011/388] clk: qcom: msm8916: Fix the address location of pll->config_reg Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 038/388] remoteproc: qcom_q6v5_mss: map/unmap mpss segments before/after use Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 061/388] arm64: dts: qcom: sc7180: Correct the pdc interrupt ranges Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 121/388] arm64: dts: qcom: msm8916: remove unit name for thermal trip points Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 133/388] arm64: dts: qcom: fix pm8150 gpio interrupts Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 134/388] firmware: qcom_scm: fix bogous abuse of dma-direct internals Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 135/388] arm64: dts: qcom: sm8250: Fix PDC compatible and reg Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 147/388] slimbus: ngd: get drvdata from correct device Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 185/388] arm64: dts: msm8996: Fix CSI IRQ types Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 197/388] remoteproc: qcom_q6v5_mss: Drop accesses to MPSS PERPH register space Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 201/388] arm64: dts: qcom: db820c: Fix invalid pm8994 supplies Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 202/388] arm64: dts: qcom: c630: Add WiFi node Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 230/388] drm/msm: Fix undefined "rd_full" link error Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 231/388] drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation Sasha Levin
2020-06-18 1:05 ` Sasha Levin [this message]
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 283/388] scsi: ufs-qcom: Fix scheduling while atomic issue Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618010805.600873-256-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bbhatt@codeaurora.org \
--cc=gregkh@linuxfoundation.org \
--cc=hemantk@codeaurora.org \
--cc=jhugo@codeaurora.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manivannan.sadhasivam@linaro.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox