Re: [PATCH v4 4/8] bus: mhi: core: Read transfer length from an event properly

From: Jeffrey Hugo
Date: Mon May 04 2020 - 10:31:33 EST

Next message: Jeffrey Hugo: "Re: [PATCH v4 8/8] bus: mhi: core: Ensure non-zero session or sequence ID values are used"
Previous message: Masahiro Yamada: "Re: [PATCH] i2c: drivers: Remove superfluous error message"
In reply to: Bhaumik Bhatt: "[PATCH v4 4/8] bus: mhi: core: Read transfer length from an event properly"
Next in thread: Bhaumik Bhatt: "[PATCH v4 3/8] bus: mhi: core: Add range check for channel id received in event ring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/1/2020 8:32 PM, Bhaumik Bhatt wrote:

From: Hemant Kumar <hemantk@xxxxxxxxxxxxxx>

When MHI Driver receives an EOT event, it reads xfer_len from the
event in the last TRE. The value is under control of the MHI device
and never validated by Host MHI driver. The value should never be
larger than the real size of the buffer but a malicious device can
set the value 0xFFFF as maximum. This causes driver to memory
overflow (both read or write). Fix this issue by reading minimum of
transfer length from event and the buffer length provided.

Signed-off-by: Hemant Kumar <hemantk@xxxxxxxxxxxxxx>
Signed-off-by: Bhaumik Bhatt <bbhatt@xxxxxxxxxxxxxx>

Reviewed-by: Jeffrey Hugo <jhugo@xxxxxxxxxxxxxx>

--
Jeffrey Hugo
Qualcomm Technologies, Inc. is a member of the
Code Aurora Forum, a Linux Foundation Collaborative Project.

Next message: Jeffrey Hugo: "Re: [PATCH v4 8/8] bus: mhi: core: Ensure non-zero session or sequence ID values are used"
Previous message: Masahiro Yamada: "Re: [PATCH] i2c: drivers: Remove superfluous error message"
In reply to: Bhaumik Bhatt: "[PATCH v4 4/8] bus: mhi: core: Read transfer length from an event properly"
Next in thread: Bhaumik Bhatt: "[PATCH v4 3/8] bus: mhi: core: Add range check for channel id received in event ring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]