lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 27 Apr 2018 09:08:17 -0500
From:   Alex Elder <elder@...aro.org>
To:     andy.gross@...aro.org, david.brown@...aro.org
Cc:     linux-arm-msm@...r.kernel.org, linux-soc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH] soc: qcom: qmi: fix a buffer sizing bug

In qmi_handle_init(), a buffer is allocated for to hold messages
received through the handle's socket.  Any "normal" messages
(expected by the caller) will have a header prepended, so the
buffer size is adjusted to accomodate that.

The buffer must also be of sufficient size to receive control
messages, so the size is increased if necessary to ensure these
will fit.

Unfortunately the calculation is done wrong, making it possible
for the calculated buffer size to be too small to hold a "normal"
message.  Specifically, if:

  recv_buf_size > sizeof(struct qrtr_ctrl_pkt) - sizeof(struct qmi_header)
		AND
  recv_buf_size < sizeof(struct qrtr_ctrl_pkt)

the current logic will use sizeof(struct qrtr_ctrl_pkt) as the
receive buffer size, which is not enough to hold the maximum
"normal" message plus its header.  Currently this problem occurs
for (13 < recv_buf_size < 20).

This patch corrects this.

Signed-off-by: Alex Elder <elder@...aro.org>
---
 drivers/soc/qcom/qmi_interface.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/soc/qcom/qmi_interface.c b/drivers/soc/qcom/qmi_interface.c
index 321982277697..938ca41c56cd 100644
--- a/drivers/soc/qcom/qmi_interface.c
+++ b/drivers/soc/qcom/qmi_interface.c
@@ -639,10 +639,11 @@ int qmi_handle_init(struct qmi_handle *qmi, size_t recv_buf_size,
 	if (ops)
 		qmi->ops = *ops;
 
+	/* Make room for the header */
+	recv_buf_size += sizeof(struct qmi_header);
+	/* Must also be sufficient to hold a control packet */
 	if (recv_buf_size < sizeof(struct qrtr_ctrl_pkt))
 		recv_buf_size = sizeof(struct qrtr_ctrl_pkt);
-	else
-		recv_buf_size += sizeof(struct qmi_header);
 
 	qmi->recv_buf_size = recv_buf_size;
 	qmi->recv_buf = kzalloc(recv_buf_size, GFP_KERNEL);
-- 
2.14.1

Powered by blists - more mailing lists