[PATCH 1/5] accel/qaic: tighten bounds checking in encode_message()

Linux ARM-MSM sub-architecture
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@linaro.org>
To: Jeffrey Hugo <quic_jhugo@quicinc.com>
Cc: Carl Vanderlip <quic_carlv@quicinc.com>,
	Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>,
	Oded Gabbay <ogabbay@kernel.org>,
	Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>,
	Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>,
	linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org,
	kernel-janitors@vger.kernel.org
Subject: [PATCH 1/5] accel/qaic: tighten bounds checking in encode_message()
Date: Tue, 11 Jul 2023 09:06:22 +0300	[thread overview]
Message-ID: <ZKzxXhtwqYvoat8B@moroto> (raw)
In-Reply-To: <ZKzxP8iX8Op0lYvh@moroto>

There are several issues in this code.  The check at the start of the
loop:

	if (user_len >= user_msg->len) {

This check does not ensure that we have enough space for the trans_hdr
(8 bytes).  Instead the check needs to be:

	if (user_len >= user_msg->len - sizeof(*trans_hdr)) {

That subtraction is done as an unsigned long we want to avoid
negatives.  Add a lower bound to the start of the function.

	if (user_msg->len < sizeof(*trans_hdr))

There is a second integer underflow which can happen if
trans_hdr->len is zero inside the encode_passthrough() function.

	memcpy(out_trans->data, in_trans->data, in_trans->hdr.len - sizeof(in_trans->hdr));

Instead of adding a check to encode_passthrough() it's better to check
in this central place.  Add that check:

	if (trans_hdr->len < sizeof(trans_hdr)

The final concern is that the "user_len + trans_hdr->len" might have an
integer overflow bug.  Use size_add() to prevent that.

-	if (user_len + trans_hdr->len > user_msg->len) {
+	if (size_add(user_len, trans_hdr->len) > user_msg->len) {

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
This is based on code review and not tested.

 drivers/accel/qaic/qaic_control.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c
index 5c57f7b4494e..a51b1594dcfa 100644
--- a/drivers/accel/qaic/qaic_control.c
+++ b/drivers/accel/qaic/qaic_control.c
@@ -748,7 +748,8 @@ static int encode_message(struct qaic_device *qdev, struct manage_msg *user_msg,
 	int ret;
 	int i;
 
-	if (!user_msg->count) {
+	if (!user_msg->count ||
+	    user_msg->len < sizeof(*trans_hdr)) {
 		ret = -EINVAL;
 		goto out;
 	}
@@ -765,12 +766,13 @@ static int encode_message(struct qaic_device *qdev, struct manage_msg *user_msg,
 	}
 
 	for (i = 0; i < user_msg->count; ++i) {
-		if (user_len >= user_msg->len) {
+		if (user_len >= user_msg->len - sizeof(*trans_hdr)) {
 			ret = -EINVAL;
 			break;
 		}
 		trans_hdr = (struct qaic_manage_trans_hdr *)(user_msg->data + user_len);
-		if (user_len + trans_hdr->len > user_msg->len) {
+		if (trans_hdr->len < sizeof(trans_hdr) ||
+		    size_add(user_len, trans_hdr->len) > user_msg->len) {
 			ret = -EINVAL;
 			break;
 		}
-- 
2.39.2

next prev parent reply	other threads:[~2023-07-11  6:06 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-11  6:05 [PATCH 0/5 v2] accel/qaic: Improve bounds checking in encode/decode Dan Carpenter
2023-07-11  6:06 ` Dan Carpenter [this message]
2023-07-11  6:07   ` [PATCH 1/5] accel/qaic: tighten bounds checking in encode_message() Dan Carpenter
  -- strict thread matches above, loose matches on Subject: below --
2023-06-21  7:21 [PATCH 0/5] accel/qaic: Improve bounds checking in encode/decode Dan Carpenter
2023-06-21  7:21 ` [PATCH 1/5] accel/qaic: tighten bounds checking in encode_message() Dan Carpenter
2023-06-22 11:24   ` Pranjal Ramajor Asha Kanojiya
2023-06-22 11:43     ` Dan Carpenter
2023-06-22 11:54       ` Dan Carpenter
2023-07-04  6:27   ` Pranjal Ramajor Asha Kanojiya
2023-07-04  6:34     ` Pranjal Ramajor Asha Kanojiya
2023-07-04  8:48       ` Dan Carpenter
2023-07-04  8:38     ` Dan Carpenter
2023-07-04  9:48       ` Pranjal Ramajor Asha Kanojiya
2023-07-04  9:58         ` Dan Carpenter
2023-07-07 18:29           ` Jeffrey Hugo

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5c57f7b4494 dfblob:a51b1594dcf )
 OR (
bs:"[PATCH 1/5] accel/qaic: tighten bounds checking in encode_message()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZKzxXhtwqYvoat8B@moroto \
    --to=dan.carpenter@linaro.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=jacek.lawrynowicz@linux.intel.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=ogabbay@kernel.org \
    --cc=quic_carlv@quicinc.com \
    --cc=quic_jhugo@quicinc.com \
    --cc=quic_pkanojiy@quicinc.com \
    --cc=stanislaw.gruszka@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox