From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6EC6F34DB4F; Mon, 4 May 2026 09:01:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.15 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777885280; cv=none; b=KIAWk4sjc3MiAe6XATyTfzYu+Xyc47RujffTY5joDNIvUTlxYaw/K742A+LkCE4eNYk8BlPC5SecLBvgZvFwl5q82BUi3tyubg0lo7PNxwQo4Jo0vBIZjxqzfyA3VN3iuyL19BkZar1EBPSveujHZlTl+gTsayCfYjPH7o/3gzs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777885280; c=relaxed/simple; bh=HPD8OIpg97Kw7qpYamrITGpD8pXMmw6ypaUAhsB5Cz8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=KNJsaIRQU17FZsyVnVQTuzeax707Kz+fY3JqY3lp//tJ2vEhzdKoHaDh7yylhc4tdu2myyzvjeDukrcN97PI95S0t3vEXD0ny/GK30SkYcs358XBGhNQAhp6p0d+2j0Cb49IZRTfB1ee0cvycxE4DuzNHSwSjGMaN+LQCRTbu7A= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=GpL7cEpj; arc=none smtp.client-ip=192.198.163.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="GpL7cEpj" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1777885280; x=1809421280; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=HPD8OIpg97Kw7qpYamrITGpD8pXMmw6ypaUAhsB5Cz8=; b=GpL7cEpjMQHQpko1yAJu0IKfgzBgPGWqXnf+aCjCOqCodBsEPssrCCL5 k83/2uEl3vEy/BIgeoP9AugdtLEpFbphy6AXTYAqnaN0QhL2TDaZdJfQy d+Lb2O4YapcwgufyXOkVGmD0HrcnoYgpxHZypaVErDQWLYTkpw3F+LUMz vbtHtDNdJAXPu+y1J3ozW+zo8UC3A3pN3TJmM6eVh1kBYjmoCmZ7mOn5H 5hvj4iNoQ1XCxko+b2ae/JhLZLPIuFZVUjwo0hsxOpQyb+8/cHxd5iDQ1 Ta3v6DvFka3cpq+VjpD9gQfNllJEbJ/9jQ/KUl7rlm6rcrmwm/S0RMkma A==; X-CSE-ConnectionGUID: L1hrcwD5SI6VME9ccC4zEg== X-CSE-MsgGUID: R82OL6jMQCqHlz3Xp1TyBw== X-IronPort-AV: E=McAfee;i="6800,10657,11775"; a="78839199" X-IronPort-AV: E=Sophos;i="6.23,215,1770624000"; d="scan'208";a="78839199" Received: from orviesa008.jf.intel.com ([10.64.159.148]) by fmvoesa109.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 May 2026 02:01:19 -0700 X-CSE-ConnectionGUID: xXSUuNw8QRSgwEdLcEWb9w== X-CSE-MsgGUID: yUUHWuwUTeaT+ggp89i3/Q== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.23,215,1770624000"; d="scan'208";a="235336644" Received: from hrotuna-mobl2.ger.corp.intel.com (HELO localhost) ([10.245.245.78]) by orviesa008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 May 2026 02:01:16 -0700 Date: Mon, 4 May 2026 12:01:14 +0300 From: Andy Shevchenko To: Michael Bommarito Cc: Mika Westerberg , linux-usb@vger.kernel.org, Andreas Noever , Yehezkel Bernat , Michael Jamet , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v3 3/4] thunderbolt: property: cap recursion depth in __tb_property_parse_dir() Message-ID: References: <20260415123221.225149-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Intel Finland Oy - BIC 0357606-4 - c/o Alberga Business Park, 6 krs, Bertel Jungin Aukio 5, 02600 Espoo On Sun, May 03, 2026 at 10:15:07AM -0400, Michael Bommarito wrote: > A DIRECTORY entry's value field is used as the dir_offset for a > recursive call into __tb_property_parse_dir() with no depth counter. > A crafted peer that chains DIRECTORY entries into a back-reference > loop drives the parser until the kernel stack is exhausted and the > guard page fires. Any untrusted XDomain peer (cable, dock, in-line > inspector, adjacent host) that reaches the PROPERTIES_REQUEST > control-plane exchange can trigger this without authentication. > > Thread a depth counter through tb_property_parse() and > __tb_property_parse_dir(), and reject blocks that exceed > TB_PROPERTY_MAX_DEPTH = 8. That is comfortably larger than any > observed legitimate XDomain layout. > > Operators who do not need XDomain host-to-host discovery can disable > the path entirely with thunderbolt.xdomain=0 on the kernel command > line. ... > for (i = 0; i < nentries; i++) { > struct tb_property *property; > > - property = tb_property_parse(block, block_len, &entries[i]); > + property = tb_property_parse(block, block_len, &entries[i], > + depth); I would leave this on a single line (yes, slightly longer than 80 characters). > if (!property) { > tb_property_free_dir(dir); > return NULL; -- With Best Regards, Andy Shevchenko