From patchwork Thu Dec 22 18:38:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cristian Marussi X-Patchwork-Id: 35900 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp107906wrn; Thu, 22 Dec 2022 10:43:56 -0800 (PST) X-Google-Smtp-Source: AMrXdXvcZxjl16LC7leSAXxvpJx7pZ7O4kKV0d52KnJ0PfSZ8Eix8iQogtyZNuybEi8bZr+4nIh8 X-Received: by 2002:a17:906:184a:b0:78d:f456:1ed0 with SMTP id w10-20020a170906184a00b0078df4561ed0mr9505001eje.33.1671734636265; Thu, 22 Dec 2022 10:43:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671734636; cv=none; d=google.com; s=arc-20160816; b=c5vdz/c9KgLeSpQjyWje9FO31QWOPMDd9tns7uw+atJpMYD152uokuPoKE6HXGilDE vmFYouMuBqh6rGsQPgSdPn7LWzlxJNogEuE/yELFvfH6hGXN30zpZDga0jVVEYavl6Ib 88gPXWFtB5erxgh1+LMM3oAttetVECmIRA4cJc+C808MmT5ep36Rv6UtQfwWmqxc5QHJ zUsBWKW7nyeRCVYKCV0EfI6YSnilEyLZbe+hOiMiXhYONSRBUjPpeTE2m1DYBvwaQibV 3+NpTA1Uo20+QEEoW8jXbOkMROu82QTHJMATg0z6w7gT8q/gsgqCkpXRUWQKHxYJmV+9 cmvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=pv42xKTVa5o2uys5A6+FEL+H6ruAC7lPymVwRwmvOK4=; b=0tRHpIx7ynGkKBzTO/i7SOJxdNMm42Mch+9DFQVC5QxH3jCz6fRtJHKY3A+/eAt4Zb xb+B/rbWAY7uyqFpJdgr4Bo9WCxd9bcyQIX5q+GC3dVLOmtUp7Jc993Egwqg5hPi8eRz L53Am+/oMoGpSmJuxfo9t9CRrBl9xLlyTQt8o0GPBoODJIT7quAWI1TwUtlJsO1zBH0B qWYW5r1KXYFYB2JPAxld0Q4K3lJ7WsVk4VwR+429lS1d1sIWIVaupLvgkXRC57BgXbTJ pjyW5n3iRkYRrxBu7F0DMI0xgWs946m09ZrFqryTdlUsrT+/guzxIWzwsFxIigLmmvNk 5rBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id he30-20020a1709073d9e00b007c1247d65a8si1091923ejc.687.2022.12.22.10.43.32; Thu, 22 Dec 2022 10:43:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235285AbiLVSiy (ORCPT + 99 others); Thu, 22 Dec 2022 13:38:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230357AbiLVSip (ORCPT ); Thu, 22 Dec 2022 13:38:45 -0500 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BA0FF1D320 for ; Thu, 22 Dec 2022 10:38:44 -0800 (PST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 963391595; Thu, 22 Dec 2022 10:39:25 -0800 (PST) Received: from e120937-lin.. (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id CD7323FAFB; Thu, 22 Dec 2022 10:38:43 -0800 (PST) From: Cristian Marussi To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: sudeep.holla@arm.com, cristian.marussi@arm.com Subject: [PATCH 2/5] firmware: arm_scmi: Harden shared memory access in fetch_response Date: Thu, 22 Dec 2022 18:38:20 +0000 Message-Id: <20221222183823.518856-3-cristian.marussi@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221222183823.518856-1-cristian.marussi@arm.com> References: <20221222183823.518856-1-cristian.marussi@arm.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752940817870121918?= X-GMAIL-MSGID: =?utf-8?q?1752940817870121918?= A misbheaving SCMI platform firmware could reply with out-of-spec messages, shorter than the mimimum size comprising a header and a status field. Harden shmem_fetch_response to properly truncate such a bad messages. Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type") Signed-off-by: Cristian Marussi --- drivers/firmware/arm_scmi/shmem.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/arm_scmi/shmem.c b/drivers/firmware/arm_scmi/shmem.c index 1dfe534b8518..135f8718000f 100644 --- a/drivers/firmware/arm_scmi/shmem.c +++ b/drivers/firmware/arm_scmi/shmem.c @@ -81,10 +81,11 @@ u32 shmem_read_header(struct scmi_shared_mem __iomem *shmem) void shmem_fetch_response(struct scmi_shared_mem __iomem *shmem, struct scmi_xfer *xfer) { + size_t len = ioread32(&shmem->length); + xfer->hdr.status = ioread32(shmem->msg_payload); /* Skip the length of header and status in shmem area i.e 8 bytes */ - xfer->rx.len = min_t(size_t, xfer->rx.len, - ioread32(&shmem->length) - 8); + xfer->rx.len = min_t(size_t, xfer->rx.len, len > 8 ? len - 8 : 0); /* Take a copy to the rx buffer.. */ memcpy_fromio(xfer->rx.buf, shmem->msg_payload + 4, xfer->rx.len);