lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <aBnxKrVxurLZ_7k9@kuha.fi.intel.com>
Date: Tue, 6 May 2025 14:23:22 +0300
From: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
To: amitsd@...gle.com
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Badhri Jagan Sridharan <badhri@...gle.com>,
	André Draszik <andre.draszik@...aro.org>,
	Peter Griffin <peter.griffin@...aro.org>,
	Tudor Ambarus <tudor.ambarus@...aro.org>,
	RD Babiera <rdbabiera@...gle.com>, linux-usb@...r.kernel.org,
	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	Kyle Tso <kyletso@...gle.com>
Subject: Re: [PATCH] usb: typec: tcpm/tcpci_maxim: Fix bounds check in
 process_rx()

On Fri, May 02, 2025 at 04:57:03PM -0700, Amit Sunil Dhamne via B4 Relay wrote:
> From: Amit Sunil Dhamne <amitsd@...gle.com>
> 
> Register read of TCPC_RX_BYTE_CNT returns the total size consisting of:
> 
>   PD message (pending read) size + 1 Byte for Frame Type (SOP*)
> 
> This is validated against the max PD message (`struct pd_message`) size
> without accounting for the extra byte for the frame type. Note that the
> struct pd_message does not contain a field for the frame_type. This
> results in false negatives when the "PD message (pending read)" is equal
> to the max PD message size.
> 
> Fixes: 6f413b559f86 ("usb: typec: tcpci_maxim: Chip level TCPC driver")
> Signed-off-by: Amit Sunil Dhamne <amitsd@...gle.com>
> Signed-off-by: Badhri Jagan Sridharan <badhri@...gle.com>
> Reviewed-by: Kyle Tso <kyletso@...gle.com>

Reviewed-by: Heikki Krogerus <heikki.krogerus@...ux.intel.com>

> ---
>  drivers/usb/typec/tcpm/tcpci_maxim_core.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/typec/tcpm/tcpci_maxim_core.c b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
> index fd1b80593367641a6f997da2fb97a2b7238f6982..648311f5e3cf135f23b5cc0668001d2f177b9edd 100644
> --- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c
> +++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
> @@ -166,7 +166,8 @@ static void process_rx(struct max_tcpci_chip *chip, u16 status)
>  		return;
>  	}
>  
> -	if (count > sizeof(struct pd_message) || count + 1 > TCPC_RECEIVE_BUFFER_LEN) {
> +	if (count > sizeof(struct pd_message) + 1 ||
> +	    count + 1 > TCPC_RECEIVE_BUFFER_LEN) {
>  		dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d\n", count);
>  		return;
>  	}
> 
> ---
> base-commit: ebd297a2affadb6f6f4d2e5d975c1eda18ac762d
> change-id: 20250421-b4-new-fix-pd-rx-count-79297ba619b7
> 
> Best regards,
> -- 
> Amit Sunil Dhamne <amitsd@...gle.com>
> 

-- 
heikki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ