lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 13 Jan 2024 01:25:05 +0100
From: Michal Koutný <mkoutny@...e.com>
To: linux-arm-msm@...r.kernel.org,
	linux-remoteproc@...r.kernel.org,
	linux-kernel@...r.kernel.org
Cc: Bjorn Andersson <andersson@...nel.org>,
	Konrad Dybcio <konrad.dybcio@...aro.org>,
	Mathieu Poirier <mathieu.poirier@...aro.org>,
	afaerber@...e.com,
	ivan.ivanov@...e.com
Subject: [RFC PATCH] rpmsg: glink: Add bounds check on tx path

Add bounds check on values read from shared memory in the tx path. In
cases where the VM is misbehaving, the transport should exit and print a
warning when bogus values may cause out of bounds to be read.

Link: https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/32d9c3a2f2b6a4d1fc48d6871194f3faf3184e8b
Suggested-by: Chris Lew <quic_clew@...cinc.com>
Suggested-by: Sarannya S <quic_sarannya@...cinc.com>
Signed-off-by: Michal Koutný <mkoutny@...e.com>
---
 drivers/rpmsg/qcom_glink_smem.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Why RFC? The patch is adopted from the link above. It would be good to
asses whether such conditions can also happen with rpmsg glink.
(And if so, whether the zeroed values are the best correction.)

diff --git a/drivers/rpmsg/qcom_glink_smem.c b/drivers/rpmsg/qcom_glink_smem.c
index 7a982c60a8dd..3e786e590c03 100644
--- a/drivers/rpmsg/qcom_glink_smem.c
+++ b/drivers/rpmsg/qcom_glink_smem.c
@@ -146,6 +146,11 @@ static size_t glink_smem_tx_avail(struct qcom_glink_pipe *np)
 	else
 		avail -= FIFO_FULL_RESERVE + TX_BLOCKED_CMD_RESERVE;
 
+	if (avail > pipe->native.length) {
+		pr_warn_once("%s: avail clamped\n", __func__);
+		avail = 0;
+	}
+
 	return avail;
 }
 
@@ -177,6 +182,10 @@ static void glink_smem_tx_write(struct qcom_glink_pipe *glink_pipe,
 	unsigned int head;
 
 	head = le32_to_cpu(*pipe->head);
+	if (head > pipe->native.length) {
+		pr_warn_once("%s: head overflow\n", __func__);
+		return;
+	}
 
 	head = glink_smem_tx_write_one(pipe, head, hdr, hlen);
 	head = glink_smem_tx_write_one(pipe, head, data, dlen);
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ