lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <151f5738-791e-42cb-b8fe-e0cfbf9f7dca@quicinc.com>
Date: Mon, 29 Jan 2024 16:18:36 +0530
From: Deepak Kumar Singh <quic_deesin@...cinc.com>
To: Michal Koutný <mkoutny@...e.com>,
        <linux-arm-msm@...r.kernel.org>, <linux-remoteproc@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>
CC: Bjorn Andersson <andersson@...nel.org>,
        Konrad Dybcio
	<konrad.dybcio@...aro.org>,
        Mathieu Poirier <mathieu.poirier@...aro.org>, <afaerber@...e.com>,
        <ivan.ivanov@...e.com>
Subject: Re: [RFC PATCH] rpmsg: glink: Add bounds check on tx path



On 1/13/2024 5:55 AM, Michal Koutný wrote:
> Add bounds check on values read from shared memory in the tx path. In
> cases where the VM is misbehaving, the transport should exit and print a
> warning when bogus values may cause out of bounds to be read.
> 
> Link: https://git.codelinaro.org/clo/la/kernel/msm-5.10/-/commit/32d9c3a2f2b6a4d1fc48d6871194f3faf3184e8b
> Suggested-by: Chris Lew <quic_clew@...cinc.com>
> Suggested-by: Sarannya S <quic_sarannya@...cinc.com>
> Signed-off-by: Michal Koutný <mkoutny@...e.com>
> ---
>   drivers/rpmsg/qcom_glink_smem.c | 9 +++++++++
>   1 file changed, 9 insertions(+)
> 
> Why RFC? The patch is adopted from the link above. It would be good to
> asses whether such conditions can also happen with rpmsg glink.
> (And if so, whether the zeroed values are the best correction.)
> 
Hi Michal,

There is already a patch posted for similar problem -
https://lore.kernel.org/all/20231201110631.669085-1-quic_deesin@quicinc.com/

> diff --git a/drivers/rpmsg/qcom_glink_smem.c b/drivers/rpmsg/qcom_glink_smem.c
> index 7a982c60a8dd..3e786e590c03 100644
> --- a/drivers/rpmsg/qcom_glink_smem.c
> +++ b/drivers/rpmsg/qcom_glink_smem.c
> @@ -146,6 +146,11 @@ static size_t glink_smem_tx_avail(struct qcom_glink_pipe *np)
>   	else
>   		avail -= FIFO_FULL_RESERVE + TX_BLOCKED_CMD_RESERVE;
>   
> +	if (avail > pipe->native.length) {
> +		pr_warn_once("%s: avail clamped\n", __func__);
> +		avail = 0;
> +	}
> +
>   	return avail;
>   }
>   
> @@ -177,6 +182,10 @@ static void glink_smem_tx_write(struct qcom_glink_pipe *glink_pipe,
>   	unsigned int head;
>   
>   	head = le32_to_cpu(*pipe->head);
> +	if (head > pipe->native.length) {
> +		pr_warn_once("%s: head overflow\n", __func__);
> +		return;
> +	}
>   
>   	head = glink_smem_tx_write_one(pipe, head, hdr, hlen);
>   	head = glink_smem_tx_write_one(pipe, head, data, dlen);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ