| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Jul 2020 17:52:10 -0500
From: "Gustavo A. R. Silva" <gustavoars@...nel.org>
To: Tomas Winkler <tomas.winkler@...el.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Alexander Usyskin <alexander.usyskin@...el.com>,
linux-kernel@...r.kernel.org,
"Gustavo A. R. Silva" <gustavo@...eddedor.com>,
Ramalingam C <ramalingam.c@...el.com>, stable@...r.kernel.org
Subject: Re: [char-misc-next V4] mei: hdcp: fix mei_hdcp_verify_mprime()
input parameter
On Fri, Jul 31, 2020 at 01:01:39AM +0300, Tomas Winkler wrote:
> wired_cmd_repeater_auth_stream_req_in has a variable
> length array at the end. we use struct_size() overflow
> macro to determine the size for the allocation and sending
> size.
> This also fixes bug in case number of streams is > 0 in the original
> submission. This bug was not triggered as the number of streams is
> always one.
>
> Fixes: c56967d674e3 (mei: hdcp: Replace one-element array with flexible-array member)
> Fixes: commit 0a1af1b5c18d ("misc/mei/hdcp: Verify M_prime")
^^^^
I think the _commit_ word above is unnecessary.
> Cc: "Gustavo A. R. Silva" <gustavo@...eddedor.com>
> Cc: Ramalingam C <ramalingam.c@...el.com>
> Cc: <stable@...r.kernel.org> v5.1+
Greg,
Notice that this patch is fine as is for -next, only. This becomes suitable
for -stable as long as commit c56967d674e3 (mei: hdcp: Replace one-element array with flexible-array member)
is applied to -stable, too. Otherwise, a separate patch that leaves the
one-element array in struct wired_cmd_repeater_auth_stream_req_in in place
needs to be crafted. With this taken into account, here is my
Reviewed-by: Gustavo A. R. Silva <gustavoars@...nel.org>
Thanks for the changes, Tomas.
--
Gustavo
> Signed-off-by: Tomas Winkler <tomas.winkler@...el.com>
> ---
> V4:
> 1. Fix typo in the subject. (Gustavo)
> 2. Fix dereferencing pointer in send. (Gustavo)
> V3:
> 1. Fix commit message with more info and another patch it fixes (Gustavo)
> 2. Target stable. (Gustavo)
> V2: Check for allocation failure.
>
> drivers/misc/mei/hdcp/mei_hdcp.c | 40 +++++++++++++++++++-------------
> 1 file changed, 24 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/misc/mei/hdcp/mei_hdcp.c b/drivers/misc/mei/hdcp/mei_hdcp.c
> index d1d3e025ca0e..9ae9669e46ea 100644
> --- a/drivers/misc/mei/hdcp/mei_hdcp.c
> +++ b/drivers/misc/mei/hdcp/mei_hdcp.c
> @@ -546,38 +546,46 @@ static int mei_hdcp_verify_mprime(struct device *dev,
> struct hdcp_port_data *data,
> struct hdcp2_rep_stream_ready *stream_ready)
> {
> - struct wired_cmd_repeater_auth_stream_req_in
> - verify_mprime_in = { { 0 } };
> + struct wired_cmd_repeater_auth_stream_req_in *verify_mprime_in;
> struct wired_cmd_repeater_auth_stream_req_out
> verify_mprime_out = { { 0 } };
> struct mei_cl_device *cldev;
> ssize_t byte;
> + size_t cmd_size;
>
> if (!dev || !stream_ready || !data)
> return -EINVAL;
>
> cldev = to_mei_cl_device(dev);
>
> - verify_mprime_in.header.api_version = HDCP_API_VERSION;
> - verify_mprime_in.header.command_id = WIRED_REPEATER_AUTH_STREAM_REQ;
> - verify_mprime_in.header.status = ME_HDCP_STATUS_SUCCESS;
> - verify_mprime_in.header.buffer_len =
> + cmd_size = struct_size(verify_mprime_in, streams, data->k);
> + if (cmd_size == SIZE_MAX)
> + return -EINVAL;
> +
> + verify_mprime_in = kzalloc(cmd_size, GFP_KERNEL);
> + if (!verify_mprime_in)
> + return -ENOMEM;
> +
> + verify_mprime_in->header.api_version = HDCP_API_VERSION;
> + verify_mprime_in->header.command_id = WIRED_REPEATER_AUTH_STREAM_REQ;
> + verify_mprime_in->header.status = ME_HDCP_STATUS_SUCCESS;
> + verify_mprime_in->header.buffer_len =
> WIRED_CMD_BUF_LEN_REPEATER_AUTH_STREAM_REQ_MIN_IN;
>
> - verify_mprime_in.port.integrated_port_type = data->port_type;
> - verify_mprime_in.port.physical_port = (u8)data->fw_ddi;
> - verify_mprime_in.port.attached_transcoder = (u8)data->fw_tc;
> + verify_mprime_in->port.integrated_port_type = data->port_type;
> + verify_mprime_in->port.physical_port = (u8)data->fw_ddi;
> + verify_mprime_in->port.attached_transcoder = (u8)data->fw_tc;
> +
> + memcpy(verify_mprime_in->m_prime, stream_ready->m_prime, HDCP_2_2_MPRIME_LEN);
> + drm_hdcp_cpu_to_be24(verify_mprime_in->seq_num_m, data->seq_num_m);
>
> - memcpy(verify_mprime_in.m_prime, stream_ready->m_prime,
> - HDCP_2_2_MPRIME_LEN);
> - drm_hdcp_cpu_to_be24(verify_mprime_in.seq_num_m, data->seq_num_m);
> - memcpy(verify_mprime_in.streams, data->streams,
> + memcpy(verify_mprime_in->streams, data->streams,
> array_size(data->k, sizeof(*data->streams)));
>
> - verify_mprime_in.k = cpu_to_be16(data->k);
> + verify_mprime_in->k = cpu_to_be16(data->k);
>
> - byte = mei_cldev_send(cldev, (u8 *)&verify_mprime_in,
> - sizeof(verify_mprime_in));
> + byte = mei_cldev_send(cldev, (u8 *)verify_mprime_in, cmd_size);
> + kfree(verify_mprime_in);
> if (byte < 0) {
> dev_dbg(dev, "mei_cldev_send failed. %zd\n", byte);
> return byte;
> --
> 2.25.4
>
Powered by blists - more mailing lists