| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aBnxKrVxurLZ_7k9@kuha.fi.intel.com>
Date: Tue, 6 May 2025 14:23:22 +0300
From: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
To: amitsd@...gle.com
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Badhri Jagan Sridharan <badhri@...gle.com>,
André Draszik <andre.draszik@...aro.org>,
Peter Griffin <peter.griffin@...aro.org>,
Tudor Ambarus <tudor.ambarus@...aro.org>,
RD Babiera <rdbabiera@...gle.com>, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Kyle Tso <kyletso@...gle.com>
Subject: Re: [PATCH] usb: typec: tcpm/tcpci_maxim: Fix bounds check in
process_rx()
On Fri, May 02, 2025 at 04:57:03PM -0700, Amit Sunil Dhamne via B4 Relay wrote:
> From: Amit Sunil Dhamne <amitsd@...gle.com>
>
> Register read of TCPC_RX_BYTE_CNT returns the total size consisting of:
>
> PD message (pending read) size + 1 Byte for Frame Type (SOP*)
>
> This is validated against the max PD message (`struct pd_message`) size
> without accounting for the extra byte for the frame type. Note that the
> struct pd_message does not contain a field for the frame_type. This
> results in false negatives when the "PD message (pending read)" is equal
> to the max PD message size.
>
> Fixes: 6f413b559f86 ("usb: typec: tcpci_maxim: Chip level TCPC driver")
> Signed-off-by: Amit Sunil Dhamne <amitsd@...gle.com>
> Signed-off-by: Badhri Jagan Sridharan <badhri@...gle.com>
> Reviewed-by: Kyle Tso <kyletso@...gle.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
> ---
> drivers/usb/typec/tcpm/tcpci_maxim_core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/typec/tcpm/tcpci_maxim_core.c b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
> index fd1b80593367641a6f997da2fb97a2b7238f6982..648311f5e3cf135f23b5cc0668001d2f177b9edd 100644
> --- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c
> +++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
> @@ -166,7 +166,8 @@ static void process_rx(struct max_tcpci_chip *chip, u16 status)
> return;
> }
>
> - if (count > sizeof(struct pd_message) || count + 1 > TCPC_RECEIVE_BUFFER_LEN) {
> + if (count > sizeof(struct pd_message) + 1 ||
> + count + 1 > TCPC_RECEIVE_BUFFER_LEN) {
> dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d\n", count);
> return;
> }
>
> ---
> base-commit: ebd297a2affadb6f6f4d2e5d975c1eda18ac762d
> change-id: 20250421-b4-new-fix-pd-rx-count-79297ba619b7
>
> Best regards,
> --
> Amit Sunil Dhamne <amitsd@...gle.com>
>
--
heikki
Powered by blists - more mailing lists