lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 May 2020 11:19:11 +0530 From: Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org> To: Bhaumik Bhatt <bbhatt@...eaurora.org> Cc: linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org, hemantk@...eaurora.org, jhugo@...eaurora.org Subject: Re: [PATCH v7 4/8] bus: mhi: core: Read transfer length from an event properly On Fri, May 08, 2020 at 07:26:44PM -0700, Bhaumik Bhatt wrote: > From: Hemant Kumar <hemantk@...eaurora.org> > > When MHI Driver receives an EOT event, it reads xfer_len from the > event in the last TRE. The value is under control of the MHI device > and never validated by Host MHI driver. The value should never be > larger than the real size of the buffer but a malicious device can > set the value 0xFFFF as maximum. This causes driver to memory > overflow (both read or write). Fix this issue by reading minimum of > transfer length from event and the buffer length provided. > > Signed-off-by: Hemant Kumar <hemantk@...eaurora.org> > Signed-off-by: Bhaumik Bhatt <bbhatt@...eaurora.org> > Reviewed-by: Jeffrey Hugo <jhugo@...eaurora.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org> Thanks, Mani > --- > drivers/bus/mhi/core/main.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c > index 30798ec..6a80666 100644 > --- a/drivers/bus/mhi/core/main.c > +++ b/drivers/bus/mhi/core/main.c > @@ -514,7 +514,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, > mhi_cntrl->unmap_single(mhi_cntrl, buf_info); > > result.buf_addr = buf_info->cb_buf; > - result.bytes_xferd = xfer_len; > + > + /* truncate to buf len if xfer_len is larger */ > + result.bytes_xferd = > + min_t(u16, xfer_len, buf_info->len); > mhi_del_ring_element(mhi_cntrl, buf_ring); > mhi_del_ring_element(mhi_cntrl, tre_ring); > local_rp = tre_ring->rp; > @@ -598,7 +601,9 @@ static int parse_rsc_event(struct mhi_controller *mhi_cntrl, > > result.transaction_status = (ev_code == MHI_EV_CC_OVERFLOW) ? > -EOVERFLOW : 0; > - result.bytes_xferd = xfer_len; > + > + /* truncate to buf len if xfer_len is larger */ > + result.bytes_xferd = min_t(u16, xfer_len, buf_info->len); > result.buf_addr = buf_info->cb_buf; > result.dir = mhi_chan->dir; > > -- > The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, > a Linux Foundation Collaborative Project
Powered by blists - more mailing lists