www.infradead.org Git - users/dwmw2/linux.git/commit

author	Hemant Kumar <hemantk@codeaurora.org>
	Thu, 21 May 2020 17:02:39 +0000 (22:32 +0530)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 24 Jun 2020 15:48:53 +0000 (17:48 +0200)
commit	12b1de9ca00be16624fd14d2dfd03b6c33b78799
tree	27739d0a79300cf6392408d12c4d2c61e9c6698f	tree
parent	453b4e15a057ece15b216d4be23c660c1ca39fcb	commit \| diff

bus: mhi: core: Read transfer length from an event properly

[ Upstream commit ee75cedf82d832561af8ba8380aeffd00a9eea77 ]

When MHI Driver receives an EOT event, it reads xfer_len from the
event in the last TRE. The value is under control of the MHI device
and never validated by Host MHI driver. The value should never be
larger than the real size of the buffer but a malicious device can
set the value 0xFFFF as maximum. This causes driver to memory
overflow (both read or write). Fix this issue by reading minimum of
transfer length from event and the buffer length provided.

Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org>
Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20200521170249.21795-5-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>