| Message ID | 1588042766-17496-4-git-send-email-bbhatt@codeaurora.org (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Bug fixes and improved logging in MHI | expand |
On 4/27/2020 8:59 PM, Bhaumik Bhatt wrote: > From: Hemant Kumar <hemantk@codeaurora.org> > > When MHI Driver receives an EOT event, it reads xfer_len from the > event in the last TRE. The value is under control of the MHI device > and never validated by Host MHI driver. The value should never be > larger than the real size of the buffer but a malicious device can > set the value 0xFFFF as maximum. This causes device to memory The device will overflow, or the driver? > overflow (both read or write). Fix this issue by reading minimum of > transfer length from event and the buffer length provided. > > Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> > Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org> > --- > drivers/bus/mhi/core/main.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c > index 1ccd4cc..3d468d9 100644 > --- a/drivers/bus/mhi/core/main.c > +++ b/drivers/bus/mhi/core/main.c > @@ -521,7 +521,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, > mhi_cntrl->unmap_single(mhi_cntrl, buf_info); > > result.buf_addr = buf_info->cb_buf; > - result.bytes_xferd = xfer_len; > + > + /* truncate to buf len if xfer_len is larger */ > + result.bytes_xferd = > + min_t(u16, xfer_len, buf_info->len); > mhi_del_ring_element(mhi_cntrl, buf_ring); > mhi_del_ring_element(mhi_cntrl, tre_ring); > local_rp = tre_ring->rp; >
Hi Jeff On 4/28/20 7:50 AM, Jeffrey Hugo wrote: > On 4/27/2020 8:59 PM, Bhaumik Bhatt wrote: >> From: Hemant Kumar <hemantk@codeaurora.org> >> >> When MHI Driver receives an EOT event, it reads xfer_len from the >> event in the last TRE. The value is under control of the MHI device >> and never validated by Host MHI driver. The value should never be >> larger than the real size of the buffer but a malicious device can >> set the value 0xFFFF as maximum. This causes device to memory > > The device will overflow, or the driver? Done. > >> overflow (both read or write). Fix this issue by reading minimum of >> transfer length from event and the buffer length provided. >> >> Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> >> Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org> >> --- >> drivers/bus/mhi/core/main.c | 5 ++++- >> 1 file changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c >> index 1ccd4cc..3d468d9 100644 >> --- a/drivers/bus/mhi/core/main.c >> +++ b/drivers/bus/mhi/core/main.c >> @@ -521,7 +521,10 @@ static int parse_xfer_event(struct mhi_controller >> *mhi_cntrl, >> mhi_cntrl->unmap_single(mhi_cntrl, buf_info); >> result.buf_addr = buf_info->cb_buf; >> - result.bytes_xferd = xfer_len; >> + >> + /* truncate to buf len if xfer_len is larger */ >> + result.bytes_xferd = >> + min_t(u16, xfer_len, buf_info->len); >> mhi_del_ring_element(mhi_cntrl, buf_ring); >> mhi_del_ring_element(mhi_cntrl, tre_ring); >> local_rp = tre_ring->rp; >> > >
diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c index 1ccd4cc..3d468d9 100644 --- a/drivers/bus/mhi/core/main.c +++ b/drivers/bus/mhi/core/main.c @@ -521,7 +521,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, mhi_cntrl->unmap_single(mhi_cntrl, buf_info); result.buf_addr = buf_info->cb_buf; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = + min_t(u16, xfer_len, buf_info->len); mhi_del_ring_element(mhi_cntrl, buf_ring); mhi_del_ring_element(mhi_cntrl, tre_ring); local_rp = tre_ring->rp;