bus: mhi: core: Read transfer length from an event properly - kernel/linux.git

diff options

author	Hemant Kumar <hemantk@codeaurora.org>	2020-05-21 20:02:39 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-05-22 10:35:41 +0300
commit	ee75cedf82d832561af8ba8380aeffd00a9eea77 (patch)
tree	7d032ce23f57f49bd86f96d5abc1bb6cc313c286 /drivers/bus/ts-nbus.c
parent	020960685041fc09ab6a23cf244477cdcbb75c5f (diff)
download	linux-ee75cedf82d832561af8ba8380aeffd00a9eea77.tar.xz

bus: mhi: core: Read transfer length from an event properly

When MHI Driver receives an EOT event, it reads xfer_len from the event in the last TRE. The value is under control of the MHI device and never validated by Host MHI driver. The value should never be larger than the real size of the buffer but a malicious device can set the value 0xFFFF as maximum. This causes driver to memory overflow (both read or write). Fix this issue by reading minimum of transfer length from event and the buffer length provided. Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org> Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Link: https://lore.kernel.org/r/20200521170249.21795-5-manivannan.sadhasivam@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'drivers/bus/ts-nbus.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: