summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorHemant Kumar <hemantk@codeaurora.org>2020-05-21 19:02:39 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-05-22 09:35:41 +0200
commitee75cedf82d832561af8ba8380aeffd00a9eea77 (patch)
tree7d032ce23f57f49bd86f96d5abc1bb6cc313c286 /drivers
parentbus: mhi: core: Add range check for channel id received in event ring (diff)
downloadlinux-ee75cedf82d832561af8ba8380aeffd00a9eea77.tar.xz
linux-ee75cedf82d832561af8ba8380aeffd00a9eea77.zip
bus: mhi: core: Read transfer length from an event properly
When MHI Driver receives an EOT event, it reads xfer_len from the event in the last TRE. The value is under control of the MHI device and never validated by Host MHI driver. The value should never be larger than the real size of the buffer but a malicious device can set the value 0xFFFF as maximum. This causes driver to memory overflow (both read or write). Fix this issue by reading minimum of transfer length from event and the buffer length provided. Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org> Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Link: https://lore.kernel.org/r/20200521170249.21795-5-manivannan.sadhasivam@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/bus/mhi/core/main.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c
index 30798ec3950a..6a8066640e78 100644
--- a/drivers/bus/mhi/core/main.c
+++ b/drivers/bus/mhi/core/main.c
@@ -514,7 +514,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl,
mhi_cntrl->unmap_single(mhi_cntrl, buf_info);
result.buf_addr = buf_info->cb_buf;
- result.bytes_xferd = xfer_len;
+
+ /* truncate to buf len if xfer_len is larger */
+ result.bytes_xferd =
+ min_t(u16, xfer_len, buf_info->len);
mhi_del_ring_element(mhi_cntrl, buf_ring);
mhi_del_ring_element(mhi_cntrl, tre_ring);
local_rp = tre_ring->rp;
@@ -598,7 +601,9 @@ static int parse_rsc_event(struct mhi_controller *mhi_cntrl,
result.transaction_status = (ev_code == MHI_EV_CC_OVERFLOW) ?
-EOVERFLOW : 0;
- result.bytes_xferd = xfer_len;
+
+ /* truncate to buf len if xfer_len is larger */
+ result.bytes_xferd = min_t(u16, xfer_len, buf_info->len);
result.buf_addr = buf_info->cb_buf;
result.dir = mhi_chan->dir;