From patchwork Thu Dec 22 18:38:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cristian Marussi X-Patchwork-Id: 35902 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp108775wrn; Thu, 22 Dec 2022 10:46:20 -0800 (PST) X-Google-Smtp-Source: AMrXdXsY90G13UmtpFY91jjex4CFvpDetvZleJjGHoYDdHrNzqxMGhX3+F8Vm/2sItPiKN0xKOeI X-Received: by 2002:aa7:d589:0:b0:46c:d2f2:123d with SMTP id r9-20020aa7d589000000b0046cd2f2123dmr5812951edq.40.1671734780038; Thu, 22 Dec 2022 10:46:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671734780; cv=none; d=google.com; s=arc-20160816; b=jh7HD0ajCmGaBg1JlRadR5ksF2EdGSxrtOS8QO58V3UBOgJY+RAUog2X+rWDKliFly fg4y2MAtRxDb0rg1NeOa1UxbiKdETWdKwsIlIzFtnv8WN/F5ZigotxBjBExJJzza24Qh Pctnj88x2OwVIXYdT8astYKq32Pa8n08ELJxzyZjAOFiMrDVGtesUwyAcix7dcunnyQF Ggcdg5YW8XCJMXPI39l5UP3JQaq4AKBWcTM51yN4kLgMyzGRAMRJIxYpbgfmmybcLmKh eQ7XogPWeMjbjrDFy2TIrAKe/NbDR1ovUUp+QlL1qXRbCLcultD/7A1NsZU8PEE7oSSp 93sA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=JXQ/UQPT656CR5yHneNcSt52JhvnXm8ShuRkkoDcLto=; b=T7RG2M7ubUswXJiTn86Ag2BNAQPzENSNixESGRutSpIxsEpxc95HCFcw+vcfXNHEFc 47jcqIvX5pNMISAXo9BKxjm2hrVzDyxqJAUAo7GOhLePpppJyKT6Uexx5r1NWhRlGBii idiE5ANzT8ueLkns5mruHbwtX9RdkX8vd0uuYyio42jbd/i8LUJsXSZIc+cjfzOBX49t fdfliWPvRC041DbdBodmj7pKuBXJsz2i33eyy6j43pDIMXJpG+kXK3DBpPX39Iun4z0s qPMH7YIJHHgUPxxAiAMBuK/lB7BxDgRDosoAR+2jD0wHFigqC7Mo8oSwtp1cssMmbq+H D1Qg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cw9-20020a170906478900b007aeaacd5592si1022955ejc.124.2022.12.22.10.45.55; Thu, 22 Dec 2022 10:46:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235379AbiLVSi5 (ORCPT + 99 others); Thu, 22 Dec 2022 13:38:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230444AbiLVSiq (ORCPT ); Thu, 22 Dec 2022 13:38:46 -0500 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A9BA81D661 for ; Thu, 22 Dec 2022 10:38:45 -0800 (PST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 869A2169E; Thu, 22 Dec 2022 10:39:26 -0800 (PST) Received: from e120937-lin.. (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BF6703FAFB; Thu, 22 Dec 2022 10:38:44 -0800 (PST) From: Cristian Marussi To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: sudeep.holla@arm.com, cristian.marussi@arm.com Subject: [PATCH 3/5] firmware: arm_scmi: Harden shared memory access in fetch_notification Date: Thu, 22 Dec 2022 18:38:21 +0000 Message-Id: <20221222183823.518856-4-cristian.marussi@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221222183823.518856-1-cristian.marussi@arm.com> References: <20221222183823.518856-1-cristian.marussi@arm.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752940968736157683?= X-GMAIL-MSGID: =?utf-8?q?1752940968736157683?= A misbheaving SCMI platform firmware could reply with out-of-spec notifications, shorter than the mimimum size comprising a header. Fixes: d5141f37c42e ("firmware: arm_scmi: Add notifications support in transport layer") Signed-off-by: Cristian Marussi --- drivers/firmware/arm_scmi/shmem.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/arm_scmi/shmem.c b/drivers/firmware/arm_scmi/shmem.c index 135f8718000f..87b4f4d35f06 100644 --- a/drivers/firmware/arm_scmi/shmem.c +++ b/drivers/firmware/arm_scmi/shmem.c @@ -94,8 +94,10 @@ void shmem_fetch_response(struct scmi_shared_mem __iomem *shmem, void shmem_fetch_notification(struct scmi_shared_mem __iomem *shmem, size_t max_len, struct scmi_xfer *xfer) { + size_t len = ioread32(&shmem->length); + /* Skip only the length of header in shmem area i.e 4 bytes */ - xfer->rx.len = min_t(size_t, max_len, ioread32(&shmem->length) - 4); + xfer->rx.len = min_t(size_t, max_len, len > 4 ? len - 4 : 0); /* Take a copy to the rx buffer.. */ memcpy_fromio(xfer->rx.buf, shmem->msg_payload, xfer->rx.len);