lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250910102843.61e4a277.michal.pecio@gmail.com>
Date: Wed, 10 Sep 2025 10:28:43 +0200
From: Michal Pecio <michal.pecio@...il.com>
To: Mathias Nyman <mathias.nyman@...ux.intel.com>, Greg Kroah-Hartman
 <gregkh@...uxfoundation.org>
Cc: Niklas Neronin <niklas.neronin@...ux.intel.com>,
 linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] usb: xhci: Check for events pointing above DMA space

On systems with 32 bit DMA, we could get events pointing above 4G due
bad link TRBs, contexts or commands, or simply HW malfunction.

Catch this when truncating to dma_addr_t, log the anomaly, bail out.
An alternative is to handle untrusted HW-originated DMAs as u64, but
it adds overhead on 32 bit machines for no clear benefit.

In 64 bit DMA builds this check should optimize to nothing and all
errors are handled as usual "event TRB doesn't match pending TRB".

Signed-off-by: Michal Pecio <michal.pecio@...il.com>
---
 drivers/usb/host/xhci-ring.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index a879c569c2f2..a2100e0a5d0a 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1809,6 +1809,12 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
 	cmd_dma = le64_to_cpu(event->cmd_trb);
 	cmd_trb = xhci->cmd_ring->dequeue;
 
+	if (sizeof(cmd_dma) < sizeof(u64) && cmd_dma < le64_to_cpu(event->cmd_trb)) {
+		xhci_err(xhci, "slot %d command completion points above DMA space (%#llx)\n",
+				slot_id, le64_to_cpu(event->cmd_trb));
+		return;
+	}
+
 	trace_xhci_handle_command(xhci->cmd_ring, &cmd_trb->generic, cmd_dma);
 
 	cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status));
@@ -2673,6 +2679,12 @@ static int handle_tx_event(struct xhci_hcd *xhci,
 	trb_comp_code = GET_COMP_CODE(le32_to_cpu(event->transfer_len));
 	ep_trb_dma = le64_to_cpu(event->buffer);
 
+	if (sizeof(ep_trb_dma) < sizeof(u64) && ep_trb_dma < le64_to_cpu(event->buffer)) {
+		xhci_err(xhci, "slot %d ep %d transfer event points above DMA space\n",
+				slot_id, ep_index);
+		goto err_out;
+	}
+
 	ep = xhci_get_virt_ep(xhci, slot_id, ep_index);
 	if (!ep) {
 		xhci_err(xhci, "ERROR Invalid Transfer event\n");
-- 
2.48.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ