[3/8] usb: typec: ucsi: glink: check message data sizes

Message ID	20240416-ucsi-glink-altmode-v1-3-890db00877ac@linaro.org
State	New
Headers	show Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C156F11C83 for <linux-arm-msm@vger.kernel.org>; Tue, 16 Apr 2024 02:20:57 +0000 (UTC) From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Date: Tue, 16 Apr 2024 05:20:52 +0300 Subject: [PATCH 3/8] usb: typec: ucsi: glink: check message data sizes Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20240416-ucsi-glink-altmode-v1-3-890db00877ac@linaro.org> References: <20240416-ucsi-glink-altmode-v1-0-890db00877ac@linaro.org> In-Reply-To: <20240416-ucsi-glink-altmode-v1-0-890db00877ac@linaro.org> To: Heikki Krogerus <heikki.krogerus@linux.intel.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Neil Armstrong <neil.armstrong@linaro.org>, Bjorn Andersson <andersson@kernel.org>, Konrad Dybcio <konrad.dybcio@linaro.org> Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org, Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Series	usb: typec: ucsi: glink: merge in altmode support \| expand [0/8] usb: typec: ucsi: glink: merge in altmode support [1/8] usb: typec: Handle retimers in typec_set_mode() [2/8] usb: typec: altmode: add low level altmode configuration helper [3/8] usb: typec: ucsi: glink: check message data sizes [4/8] usb: typec: ucsi: glink: use le32 for message data [5/8] usb: typec: ucsi: glink: simplify notification handling [6/8] usb: typec: ucsi: add ucsi_registered() callback [7/8] usb: typec: ucsi: glink: merge pmic_glink_altmode driver [8/8] soc: qcom: pmic-glink: drop separate altmode driver support

Message ID

20240416-ucsi-glink-altmode-v1-3-890db00877ac@linaro.org

State

New

Headers

From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Date: Tue, 16 Apr 2024 05:20:52 +0300
Subject: [PATCH 3/8] usb: typec: ucsi: glink: check message data sizes
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20240416-ucsi-glink-altmode-v1-3-890db00877ac@linaro.org>
References: <20240416-ucsi-glink-altmode-v1-0-890db00877ac@linaro.org>
In-Reply-To: <20240416-ucsi-glink-altmode-v1-0-890db00877ac@linaro.org>
To: Heikki Krogerus <heikki.krogerus@linux.intel.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Neil Armstrong <neil.armstrong@linaro.org>,
 Bjorn Andersson <andersson@kernel.org>,
 Konrad Dybcio <konrad.dybcio@linaro.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-arm-msm@vger.kernel.org,
 Dmitry Baryshkov <dmitry.baryshkov@linaro.org>

Series

usb: typec: ucsi: glink: merge in altmode support | expand

Commit Message

Dmitry Baryshkov April 16, 2024, 2:20 a.m. UTC

The driver gets data from the DSP firmware. Sanitize data size before
reading corresponding message structures.

Fixes: 62b5412b1f4a ("usb: typec: ucsi: add PMIC Glink UCSI driver")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
---
 drivers/usb/typec/ucsi/ucsi_glink.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

Comments

Konrad Dybcio April 16, 2024, 2:33 p.m. UTC | #1

On 4/16/24 04:20, Dmitry Baryshkov wrote:
> The driver gets data from the DSP firmware. Sanitize data size before
> reading corresponding message structures.
> 
> Fixes: 62b5412b1f4a ("usb: typec: ucsi: add PMIC Glink UCSI driver")
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> ---

I think more backstory would be beneficial here.. Does this happen often?
What are the consequences? What are the causes? Can there be one-off invalid
messages, or does that mean the firwmare has entered some unstable state?

And I suppose, if answer to the last question is "unstable state", are we
doing something incorrectly in Linux that causes it to happen?

Konrad

diff --git a/drivers/usb/typec/ucsi/ucsi_glink.c b/drivers/usb/typec/ucsi/ucsi_glink.c
index f7546bb488c3..6be9d89d4a28 100644
--- a/drivers/usb/typec/ucsi/ucsi_glink.c
+++ b/drivers/usb/typec/ucsi/ucsi_glink.c
@@ -223,9 +223,16 @@  static const struct ucsi_operations pmic_glink_ucsi_ops = {
 	.connector_status = pmic_glink_ucsi_connector_status,
 };
 
-static void pmic_glink_ucsi_read_ack(struct pmic_glink_ucsi *ucsi, const void *data, int len)
+static void pmic_glink_ucsi_read_ack(struct pmic_glink_ucsi *ucsi, const void *data, size_t len)
 {
-	const struct ucsi_read_buf_resp_msg *resp = data;
+	const struct ucsi_read_buf_resp_msg *resp;
+
+	if (len != sizeof (*resp)) {
+		dev_err_ratelimited(ucsi->dev, "Unexpected read response struct size %zd\n", len);
+		return;
+	}
+
+	resp = data;
 
 	if (resp->ret_code)
 		return;
@@ -234,9 +241,16 @@  static void pmic_glink_ucsi_read_ack(struct pmic_glink_ucsi *ucsi, const void *d
 	complete(&ucsi->read_ack);
 }
 
-static void pmic_glink_ucsi_write_ack(struct pmic_glink_ucsi *ucsi, const void *data, int len)
+static void pmic_glink_ucsi_write_ack(struct pmic_glink_ucsi *ucsi, const void *data, size_t len)
 {
-	const struct ucsi_write_buf_resp_msg *resp = data;
+	const struct ucsi_write_buf_resp_msg *resp;
+
+	if (len != sizeof (*resp)) {
+		dev_err_ratelimited(ucsi->dev, "Unexpected write ack struct size %zd\n", len);
+		return;
+	}
+
+	resp = data;
 
 	if (resp->ret_code)
 		return;

[3/8] usb: typec: ucsi: glink: check message data sizes

Commit Message

Comments

Patch