| Message ID | 1588386725-1165-5-git-send-email-bbhatt@codeaurora.org |
|---|---|
| State | New |
| Headers | show |
| Series | [v4,1/8] bus: mhi: core: Refactor mhi queue APIs | expand |
On 5/1/2020 8:32 PM, Bhaumik Bhatt wrote: > From: Hemant Kumar <hemantk@codeaurora.org> > > When MHI Driver receives an EOT event, it reads xfer_len from the > event in the last TRE. The value is under control of the MHI device > and never validated by Host MHI driver. The value should never be > larger than the real size of the buffer but a malicious device can > set the value 0xFFFF as maximum. This causes driver to memory > overflow (both read or write). Fix this issue by reading minimum of > transfer length from event and the buffer length provided. > > Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> > Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org> Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org>
diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c index e60ab21..159732e 100644 --- a/drivers/bus/mhi/core/main.c +++ b/drivers/bus/mhi/core/main.c @@ -514,7 +514,10 @@ static int parse_xfer_event(struct mhi_controller *mhi_cntrl, mhi_cntrl->unmap_single(mhi_cntrl, buf_info); result.buf_addr = buf_info->cb_buf; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = + min_t(u16, xfer_len, buf_info->len); mhi_del_ring_element(mhi_cntrl, buf_ring); mhi_del_ring_element(mhi_cntrl, tre_ring); local_rp = tre_ring->rp; @@ -598,7 +601,9 @@ static int parse_rsc_event(struct mhi_controller *mhi_cntrl, result.transaction_status = (ev_code == MHI_EV_CC_OVERFLOW) ? -EOVERFLOW : 0; - result.bytes_xferd = xfer_len; + + /* truncate to buf len if xfer_len is larger */ + result.bytes_xferd = min_t(u16, xfer_len, buf_info->len); result.buf_addr = buf_info->cb_buf; result.dir = mhi_chan->dir;