[PATCH -next 2/2] platform/surface: aggregator_cdev: Add comments regarding unchecked allocation size

From: Maximilian Luz
Date: Mon Jan 11 2021 - 10:50:04 EST

Next message: Mikko Perttunen: "Re: [PATCH] i2c: tegra-bpmp: ignore DMA safe buffer flag"
Previous message: Maximilian Luz: "[PATCH -next 1/2] platform/surface: aggregator_cdev: Fix access of uninitialized variables"
In reply to: Maximilian Luz: "[PATCH -next 1/2] platform/surface: aggregator_cdev: Fix access of uninitialized variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

CI static analysis complains about the allocation size in payload and
response buffers being unchecked. In general, these allocations should
be safe as the user-input is u16 and thus limited to U16_MAX, which is
only slightly larger than the theoretical maximum imposed by the
underlying SSH protocol.

All bounds on these values required by the underlying protocol are
enforced in ssam_request_sync() (or rather the functions called by it),
thus bounds here are only relevant for allocation.

Add comments explaining that this should be safe.

Reported-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
Fixes: 178f6ab77e61 ("platform/surface: Add Surface Aggregator user-space interface")
Addresses-Coverity: ("Untrusted allocation size")
Signed-off-by: Maximilian Luz <luzmaximilian@xxxxxxxxx>
---
.../surface/surface_aggregator_cdev.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)

diff --git a/drivers/platform/surface/surface_aggregator_cdev.c b/drivers/platform/surface/surface_aggregator_cdev.c
index 979340cdd9de..ccfffe5eadfc 100644
--- a/drivers/platform/surface/surface_aggregator_cdev.c
+++ b/drivers/platform/surface/surface_aggregator_cdev.c
@@ -106,6 +106,15 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
goto out;
}

+ /*
+ * Note: spec.length is limited to U16_MAX bytes via struct
+ * ssam_cdev_request. This is slightly larger than the
+ * theoretical maximum (SSH_COMMAND_MAX_PAYLOAD_SIZE) of the
+ * underlying protocol (note that nothing remotely this size
+ * should ever be allocated in any normal case). This size is
+ * validated later in ssam_request_sync(), for allocation the
+ * bound imposed by u16 should be enough.
+ */
spec.payload = kzalloc(spec.length, GFP_KERNEL);
if (!spec.payload) {
ret = -ENOMEM;
@@ -125,6 +134,16 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
goto out;
}

+ /*
+ * Note: rsp.capacity is limited to U16_MAX bytes via struct
+ * ssam_cdev_request. This is slightly larger than the
+ * theoretical maximum (SSH_COMMAND_MAX_PAYLOAD_SIZE) of the
+ * underlying protocol (note that nothing remotely this size
+ * should ever be allocated in any normal case). In later use,
+ * this capacity does not have to be strictly bounded, as it
+ * is only used as an output buffer to be written to. For
+ * allocation the bound imposed by u16 should be enough.
+ */
rsp.pointer = kzalloc(rsp.capacity, GFP_KERNEL);
if (!rsp.pointer) {
ret = -ENOMEM;
--
2.30.0

Next message: Mikko Perttunen: "Re: [PATCH] i2c: tegra-bpmp: ignore DMA safe buffer flag"
Previous message: Maximilian Luz: "[PATCH -next 1/2] platform/surface: aggregator_cdev: Fix access of uninitialized variables"
In reply to: Maximilian Luz: "[PATCH -next 1/2] platform/surface: aggregator_cdev: Fix access of uninitialized variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]