lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0dc0310f-3fbd-088c-75cd-291e7c76e83b@codeaurora.org>
Date:   Mon, 27 Apr 2020 12:50:30 -0600
From:   Jeffrey Hugo <jhugo@...eaurora.org>
To:     Bhaumik Bhatt <bbhatt@...eaurora.org>, mani@...nel.org
Cc:     linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org,
        hemantk@...eaurora.org
Subject: Re: [PATCH v1 2/8] bus: mhi: core: Add range check for channel id
 received in event ring

On 4/27/2020 12:32 PM, Bhaumik Bhatt wrote:
> From: Hemant Kumar <hemantk@...eaurora.org>
> 
> MHI data completion handler function reads channel id from event
> ring element. Value is under the control of MHI devices and can be
> any value between 0 and 255. In order to prevent out of bound access
> add a bound check against the max channel supported by controller
> and skip processing of that event ring element.
> 
> Signed-off-by: Hemant Kumar <hemantk@...eaurora.org>

I believe your SOB is needed here after Hemant's per section 11 of 
Documentation/process/submitting-patches.rst

> ---
>   drivers/bus/mhi/core/main.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c
> index 23154f1..ba8afa7 100644
> --- a/drivers/bus/mhi/core/main.c
> +++ b/drivers/bus/mhi/core/main.c
> @@ -827,6 +827,9 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl,
>   		enum mhi_pkt_type type = MHI_TRE_GET_EV_TYPE(local_rp);
>   
>   		chan = MHI_TRE_GET_EV_CHID(local_rp);
> +		if (WARN_ON(chan >= mhi_cntrl->max_chan))
> +			continue;
> +
>   		mhi_chan = &mhi_cntrl->mhi_chan[chan];
>   
>   		if (likely(type == MHI_PKT_TYPE_TX_EVENT)) {
> 

How does this work?

I understand the need for the range check, however I looks like this 
change doesn't do proper handling.

Since all you do is "continue", we'll remain stuck in the while loop 
this exists in, continuously "processing" the same event, failing the 
same check, and spamming the kernel log with the WARN_ON output until 
the end of time.

What am I missing?

What is the behavior you want?  Do you want to just drop/ignore the 
invalid event, or issue a reset of the device because it is clearly 
misbehaving?

-- 
Jeffrey Hugo
Qualcomm Technologies, Inc. is a member of the
Code Aurora Forum, a Linux Foundation Collaborative Project.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ