From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Cristian Marussi <cristian.marussi@arm.com>,
Sudeep Holla <sudeep.holla@arm.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.19 10/48] firmware: arm_scmi: Harden accesses to the sensor domains
Date: Mon, 10 Oct 2022 09:05:08 +0200 [thread overview]
Message-ID: <20221010070333.973389550@linuxfoundation.org> (raw)
In-Reply-To: <20221010070333.676316214@linuxfoundation.org>
From: Cristian Marussi <cristian.marussi@arm.com>
[ Upstream commit 76f89c954788763db575fb512a40bd483864f1e9 ]
Accessing sensor domains descriptors by the index upon the SCMI drivers
requests through the SCMI sensor operations interface can potentially
lead to out-of-bound violations if the SCMI driver misbehave.
Add an internal consistency check before any such domains descriptors
accesses.
Link: https://lore.kernel.org/r/20220817172731.1185305-4-cristian.marussi@arm.com
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_scmi/sensors.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/drivers/firmware/arm_scmi/sensors.c b/drivers/firmware/arm_scmi/sensors.c
index 7d0c7476d206..0b5853fa9d87 100644
--- a/drivers/firmware/arm_scmi/sensors.c
+++ b/drivers/firmware/arm_scmi/sensors.c
@@ -762,6 +762,10 @@ static int scmi_sensor_config_get(const struct scmi_protocol_handle *ph,
{
int ret;
struct scmi_xfer *t;
+ struct sensors_info *si = ph->get_priv(ph);
+
+ if (sensor_id >= si->num_sensors)
+ return -EINVAL;
ret = ph->xops->xfer_get_init(ph, SENSOR_CONFIG_GET,
sizeof(__le32), sizeof(__le32), &t);
@@ -771,7 +775,6 @@ static int scmi_sensor_config_get(const struct scmi_protocol_handle *ph,
put_unaligned_le32(sensor_id, t->tx.buf);
ret = ph->xops->do_xfer(ph, t);
if (!ret) {
- struct sensors_info *si = ph->get_priv(ph);
struct scmi_sensor_info *s = si->sensors + sensor_id;
*sensor_config = get_unaligned_le64(t->rx.buf);
@@ -788,6 +791,10 @@ static int scmi_sensor_config_set(const struct scmi_protocol_handle *ph,
int ret;
struct scmi_xfer *t;
struct scmi_msg_sensor_config_set *msg;
+ struct sensors_info *si = ph->get_priv(ph);
+
+ if (sensor_id >= si->num_sensors)
+ return -EINVAL;
ret = ph->xops->xfer_get_init(ph, SENSOR_CONFIG_SET,
sizeof(*msg), 0, &t);
@@ -800,7 +807,6 @@ static int scmi_sensor_config_set(const struct scmi_protocol_handle *ph,
ret = ph->xops->do_xfer(ph, t);
if (!ret) {
- struct sensors_info *si = ph->get_priv(ph);
struct scmi_sensor_info *s = si->sensors + sensor_id;
s->sensor_config = sensor_config;
@@ -831,8 +837,11 @@ static int scmi_sensor_reading_get(const struct scmi_protocol_handle *ph,
int ret;
struct scmi_xfer *t;
struct scmi_msg_sensor_reading_get *sensor;
+ struct scmi_sensor_info *s;
struct sensors_info *si = ph->get_priv(ph);
- struct scmi_sensor_info *s = si->sensors + sensor_id;
+
+ if (sensor_id >= si->num_sensors)
+ return -EINVAL;
ret = ph->xops->xfer_get_init(ph, SENSOR_READING_GET,
sizeof(*sensor), 0, &t);
@@ -841,6 +850,7 @@ static int scmi_sensor_reading_get(const struct scmi_protocol_handle *ph,
sensor = t->tx.buf;
sensor->id = cpu_to_le32(sensor_id);
+ s = si->sensors + sensor_id;
if (s->async) {
sensor->flags = cpu_to_le32(SENSOR_READ_ASYNC);
ret = ph->xops->do_xfer_with_response(ph, t);
@@ -895,9 +905,13 @@ scmi_sensor_reading_get_timestamped(const struct scmi_protocol_handle *ph,
int ret;
struct scmi_xfer *t;
struct scmi_msg_sensor_reading_get *sensor;
+ struct scmi_sensor_info *s;
struct sensors_info *si = ph->get_priv(ph);
- struct scmi_sensor_info *s = si->sensors + sensor_id;
+ if (sensor_id >= si->num_sensors)
+ return -EINVAL;
+
+ s = si->sensors + sensor_id;
if (!count || !readings ||
(!s->num_axis && count > 1) || (s->num_axis && count > s->num_axis))
return -EINVAL;
--
2.35.1
next prev parent reply other threads:[~2022-10-10 7:07 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-10 7:04 [PATCH 5.19 00/48] 5.19.15-rc1 review Greg Kroah-Hartman
2022-10-10 7:04 ` [PATCH 5.19 01/48] sparc: Unbreak the build Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 02/48] Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 03/48] hardening: Remove Clangs enable flag for -ftrivial-auto-var-init=zero Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 04/48] docs: update mediator information in CoC docs Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 05/48] xsk: Inherit need_wakeup flag for shared sockets Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 06/48] wait_on_bit: add an acquire memory barrier Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 07/48] provide arch_test_bit_acquire for architectures that define test_bit Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 08/48] fs: fix UAF/GPF bug in nilfs_mdt_destroy Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 09/48] firmware: arm_scmi: Improve checks in the info_get operations Greg Kroah-Hartman
2022-10-10 7:05 ` Greg Kroah-Hartman [this message]
2022-10-10 7:05 ` [PATCH 5.19 11/48] firmware: arm_scmi: Add SCMI PM driver remove routine Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 12/48] arm64: dts: rockchip: fix upper usb port on BPI-R2-Pro Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 13/48] dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 14/48] dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 15/48] dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 16/48] wifi: iwlwifi: dont spam logs with NSS>2 messages Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 17/48] ARM: dts: fix Moxa SDIO compatible, remove sdhci misnomer Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 18/48] drm/amdgpu/mes: zero the sdma_hqd_mask of 2nd SDMA engine for SDMA 6.0.1 Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 19/48] scsi: qedf: Fix a UAF bug in __qedf_probe() Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 20/48] net/ieee802154: fix uninit value bug in dgram_sendmsg Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 21/48] net: marvell: prestera: add support for for Aldrin2 Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 22/48] ALSA: hda/hdmi: Fix the converter reuse for the silent stream Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 23/48] um: Cleanup syscall_handler_t cast in syscalls_32.h Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 24/48] um: Cleanup compiler warning in arch/x86/um/tls_32.c Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 25/48] gpio: ftgpio010: Make irqchip immutable Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 26/48] arch: um: Mark the stack non-executable to fix a binutils warning Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 27/48] net: atlantic: fix potential memory leak in aq_ndev_close() Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 28/48] KVM: s390: Pass initialized arg even if unused Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 29/48] drm/amd/display: Fix double cursor on non-video RGB MPO Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 30/48] drm/amd/display: Assume an LTTPR is always present on fixed_vs links Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 31/48] drm/amd/display: update gamut remap if plane has changed Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 32/48] drm/amd/display: skip audio setup when audio stream is enabled Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 33/48] drm/amd/display: Fix DP MST timeslot issue when fallback happened Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 34/48] drm/amd/display: increase dcn315 pstate change latency Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 35/48] perf/x86/intel: Fix unchecked MSR access error for Alder Lake N Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 36/48] [coredump] dont use __kernel_write() on kmap_local_page() Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 37/48] i2c: davinci: fix PM disable depth imbalance in davinci_i2c_probe Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 38/48] usb: mon: make mmapped memory read only Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 39/48] USB: serial: ftdi_sio: fix 300 bps rate for SIO Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 40/48] gpiolib: acpi: Add support to ignore programming an interrupt Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 41/48] gpiolib: acpi: Add a quirk for Asus UM325UAZ Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 42/48] mmc: core: Replace with already defined values for readability Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 43/48] mmc: core: Terminate infinite loop in SD-UHS voltage switch Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 44/48] rpmsg: qcom: glink: replace strncpy() with strscpy_pad() Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 45/48] bpf: Gate dynptr API behind CAP_BPF Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 46/48] net: ethernet: mtk_eth_soc: fix state in __mtk_foe_entry_clear Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 47/48] bpf: Fix resetting logic for unreferenced kptrs Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 48/48] Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works Greg Kroah-Hartman
2022-10-10 16:01 ` [PATCH 5.19 00/48] 5.19.15-rc1 review Naresh Kamboju
2022-10-10 16:29 ` Justin Forbes
2022-10-10 18:51 ` Florian Fainelli
2022-10-10 21:28 ` Shuah Khan
2022-10-11 7:25 ` Bagas Sanjaya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221010070333.973389550@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cristian.marussi@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=sudeep.holla@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).