Re: [PATCH v2 3/8] bus: mhi: core: Read transfer length from an event properly
From: Hemant Kumar
Date: Wed Apr 29 2020 - 13:30:43 EST
Hi Jeff
On 4/28/20 7:50 AM, Jeffrey Hugo wrote:
On 4/27/2020 8:59 PM, Bhaumik Bhatt wrote:
From: Hemant Kumar <hemantk@xxxxxxxxxxxxxx>
When MHI Driver receives an EOT event, it reads xfer_len from the
event in the last TRE. The value is under control of the MHI device
and never validated by Host MHI driver. The value should never be
larger than the real size of the buffer but a malicious device can
set the value 0xFFFF as maximum. This causes device to memory
The device will overflow, or the driver?
Done.
overflow (both read or write). Fix this issue by reading minimum of
transfer length from event and the buffer length provided.
Signed-off-by: Hemant Kumar <hemantk@xxxxxxxxxxxxxx>
Signed-off-by: Bhaumik Bhatt <bbhatt@xxxxxxxxxxxxxx>
---
 drivers/bus/mhi/core/main.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c
index 1ccd4cc..3d468d9 100644
--- a/drivers/bus/mhi/core/main.c
+++ b/drivers/bus/mhi/core/main.c
@@ -521,7 +521,10 @@ static int parse_xfer_event(struct mhi_controller
*mhi_cntrl,
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ mhi_cntrl->unmap_single(mhi_cntrl, buf_info);
ÂÂÂÂÂÂÂÂÂÂÂÂÂ result.buf_addr = buf_info->cb_buf;
-ÂÂÂÂÂÂÂÂÂÂÂ result.bytes_xferd = xfer_len;
+
+ÂÂÂÂÂÂÂÂÂÂÂ /* truncate to buf len if xfer_len is larger */
+ÂÂÂÂÂÂÂÂÂÂÂ result.bytes_xferd =
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ min_t(u16, xfer_len, buf_info->len);
ÂÂÂÂÂÂÂÂÂÂÂÂÂ mhi_del_ring_element(mhi_cntrl, buf_ring);
ÂÂÂÂÂÂÂÂÂÂÂÂÂ mhi_del_ring_element(mhi_cntrl, tre_ring);
ÂÂÂÂÂÂÂÂÂÂÂÂÂ local_rp = tre_ring->rp;
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project