From patchwork Tue Jun 23 19:54:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 223107 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55546C433E0 for ; Tue, 23 Jun 2020 21:33:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3269920707 for ; Tue, 23 Jun 2020 21:33:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592948030; bh=3F8aM7jvCmG7bpGss2gYjzxYXAvh8Mb68zAIwo0oQHM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=kxeJRxfPcjGpXnrBds0a3xRKqkbsg7bglmoFVRM3sxE3sVLXEpbNy6GzdgtofaSQ1 wGqyA4fzLtw6lrNAKKj7+t4caOzTQixMbWkFKWpIREJ7pp3qs0z/hjGZFBgCgkP6kK dnDz1OrHZu2Hy+xGI9GZ0j1TOH3di+QRshNX1pWA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388882AbgFWULU (ORCPT ); Tue, 23 Jun 2020 16:11:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:52622 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388141AbgFWULT (ORCPT ); Tue, 23 Jun 2020 16:11:19 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 837C7206C3; Tue, 23 Jun 2020 20:11:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592943079; bh=3F8aM7jvCmG7bpGss2gYjzxYXAvh8Mb68zAIwo0oQHM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hTGVPuR0m+YM1K3/Z0Y0jKG4nDsDE20RljDpHTLFgRTdm6k0K8CyZapFqLhnAZNK8 2wWVq7swOhfEUCKeANhTJY7biFKWO/xgTJoDlErO2OScMbx0BojexpiGSaQ3JnQVra WHK3XzhFIMRSwGItWw85Sev/4uWSw+4z/a7hbuf0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hemant Kumar , Bhaumik Bhatt , Jeffrey Hugo , Manivannan Sadhasivam , Sasha Levin Subject: [PATCH 5.7 252/477] bus: mhi: core: Read transfer length from an event properly Date: Tue, 23 Jun 2020 21:54:09 +0200 Message-Id: <20200623195419.484108555@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200623195407.572062007@linuxfoundation.org> References: <20200623195407.572062007@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Hemant Kumar [ Upstream commit ee75cedf82d832561af8ba8380aeffd00a9eea77 ] When MHI Driver receives an EOT event, it reads xfer_len from the event in the last TRE. The value is under control of the MHI device and never validated by Host MHI driver. The value should never be larger than the real size of the buffer but a malicious device can set the value 0xFFFF as maximum. This causes driver to memory overflow (both read or write). Fix this issue by reading minimum of transfer length from event and the buffer length provided. Signed-off-by: Hemant Kumar Signed-off-by: Bhaumik Bhatt Reviewed-by: Jeffrey Hugo Reviewed-by: Manivannan Sadhasivam Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20200521170249.21795-5-manivannan.sadhasivam@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/bus/mhi/core/main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c index 97e06cc586e4f..8be3d0fb06145 100644 --- a/drivers/bus/mhi/core/main.c +++ b/drivers/bus/mhi/core/main.c @@ -513,7 +513,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, mhi_cntrl->unmap_single(mhi_cntrl, buf_info); result.buf_addr = buf_info->cb_buf; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = + min_t(u16, xfer_len, buf_info->len); mhi_del_ring_element(mhi_cntrl, buf_ring); mhi_del_ring_element(mhi_cntrl, tre_ring); local_rp = tre_ring->rp; @@ -597,7 +600,9 @@ static int parse_rsc_event(struct mhi_controller *mhi_cntrl, result.transaction_status = (ev_code == MHI_EV_CC_OVERFLOW) ? -EOVERFLOW : 0; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = min_t(u16, xfer_len, buf_info->len); result.buf_addr = buf_info->cb_buf; result.dir = mhi_chan->dir;