Message ID | 20230731100311.2506271-1-quic_ipkumar@quicinc.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:918b:0:b0:3e4:2afc:c1 with SMTP id s11csp1984765vqg; Mon, 31 Jul 2023 05:37:11 -0700 (PDT) X-Google-Smtp-Source: APBJJlGCcqsyFjkC1STT+H/wh9U+2QWdqgazv+dcpv2KEw3GtcODuLKnxS+AUT+eSdRQaNWoTCAW X-Received: by 2002:a17:907:a043:b0:99b:ed18:7a10 with SMTP id gz3-20020a170907a04300b0099bed187a10mr6148757ejc.36.1690807031248; Mon, 31 Jul 2023 05:37:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690807031; cv=none; d=google.com; s=arc-20160816; b=pZFV6k9yy5pWEH1ZCgTq+myRt0nLcdviiSlAF+wcEbZOTx3HQsqaKkKREAjvMc4D1w L6q1AVwPAn2crtRZDI6ndbqDiRQ6uz6xDeH1/HRBQJtBXK/xAQsKp/q7pRJ4tOrjKTUn xhTW5O7WIOnoYC4PF2hx7wRV+CTdZTLBAeBGqIaEf2bFQwxGLHC7dxoNlAgNWU3VPQf4 DcyhXhygsSRWxtIg/joxpWmIzdf/w4yU2yLg0AsENUvuwWrJb/Nc35rvoXiT1tPwUJnt +yRMkp6YnZwZskq9t93SxS+sBU9Ot39miRNS5NLxtVzwl1bJ+r9NpSscERsMmv5o27vo kwEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=lHj200xUWzB9ScNLTZFvgOL1igTkoipGFcIhVNd/yHY=; fh=GFG9x11eFw387+mJbY+aIEkm7e3Uw3AO3q21QG3gGlY=; b=u4ixRitkmeH9JFyiMg1VxBFQdhM65yx55L8B//5sXsdoSk2sVFKUlt0eatlFzq7Hp3 6cjPgiNSryz+jYRO+qSa3YdYFFY0aDLSkiPo5UsAlNp/Vy/zcqc+kDqFUBLSgbPgftlo Xtc/T7KFYktVd9H6Hu8/WtXH6ymmUFYRnQKnMJ64Qx87vWX2X/u7ZoNcWxojoSn4qaEQ jMKiBM+w0fJ3sf4sgo+ityPxk5y9hSt0r9X3+22JuI3icA32HxsVbMzeVfRUoL8Mu3yQ QPb2thaWuddm9jUAdzMX38RZDnzfaG7bdie/p6JXg84AYkChU3exOfV8jx184+MXlLrW 8X8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=O614T2VK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n11-20020a170906088b00b0099ba3bc37a9si6582950eje.377.2023.07.31.05.36.47; Mon, 31 Jul 2023 05:37:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=O614T2VK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231174AbjGaKEZ (ORCPT <rfc822;dengxinlin2429@gmail.com> + 99 others); Mon, 31 Jul 2023 06:04:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44844 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230071AbjGaKEB (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 31 Jul 2023 06:04:01 -0400 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2602DE66; Mon, 31 Jul 2023 03:03:29 -0700 (PDT) Received: from pps.filterd (m0279870.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36V6u0gk019759; Mon, 31 Jul 2023 10:03:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=qcppdkim1; bh=lHj200xUWzB9ScNLTZFvgOL1igTkoipGFcIhVNd/yHY=; b=O614T2VKiSfha3diML3A3d5hRoWvp/xTDyDYvaQsiXALfYUZl3B7uXCF4l9c5OwDtapl 4S+t5SxllzCgR0ZWB4KkZF6Qts9mD5Q26xqgLVE2kwOPlVBhTHTdFEiav75JjavA52Pt M5gxfpMW4m/anrDFznl4J4R/h5AwvUoMG0FU9vpJWbx5bwDqbG9yOCTyKbsFJg3353Hy Yz9QGMUZkCwCZrp9pxE5bgAh0gEGRR3XfZRJtCFmmSZKZOyyAi7i+n8pAWXnhggPrNqa 0KoNneyarX8yhRjnT2vj5gK3WPZvrXnZ3x4Cd+Ap3shDxNdxGQFGAY9tOMpRX6pukXsA Gw== Received: from nalasppmta03.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3s4ugsb81j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 31 Jul 2023 10:03:25 +0000 Received: from nalasex01c.na.qualcomm.com (nalasex01c.na.qualcomm.com [10.47.97.35]) by NALASPPMTA03.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 36VA3OdI000556 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 31 Jul 2023 10:03:24 GMT Received: from hu-ipkumar-blr.qualcomm.com (10.80.80.8) by nalasex01c.na.qualcomm.com (10.47.97.35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Mon, 31 Jul 2023 03:03:21 -0700 From: Praveenkumar I <quic_ipkumar@quicinc.com> To: <agross@kernel.org>, <andersson@kernel.org>, <konrad.dybcio@linaro.org>, <linux-arm-msm@vger.kernel.org>, <linux-kernel@vger.kernel.org> CC: <quic_varada@quicinc.com>, <quic_clew@quicinc.com> Subject: [PATCH v2] soc: qcom: qmi_encdec: Restrict string length in decode Date: Mon, 31 Jul 2023 15:33:11 +0530 Message-ID: <20230731100311.2506271-1-quic_ipkumar@quicinc.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01c.na.qualcomm.com (10.47.97.35) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: yDC6TVQywrsusQDxnR9vIZyf2ulIWTbq X-Proofpoint-GUID: yDC6TVQywrsusQDxnR9vIZyf2ulIWTbq X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-31_03,2023-07-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 clxscore=1015 spamscore=0 priorityscore=1501 mlxscore=0 impostorscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307310090 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772928994344019470 X-GMAIL-MSGID: 1772939673525167988 |
Series |
[v2] soc: qcom: qmi_encdec: Restrict string length in decode
|
|
Commit Message
Praveenkumar I
July 31, 2023, 10:03 a.m. UTC
The QMI TLV value for strings in a lot of qmi element info structures account for null terminated strings with MAX_LEN + 1. If a string is actually MAX_LEN + 1 length, this will cause an out of bounds access when the NULL character is appended in decoding. Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder") Cc: stable@vger.kernel.org Signed-off-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Praveenkumar I <quic_ipkumar@quicinc.com> --- [v2]: Added Fixes and Cc: stable drivers/soc/qcom/qmi_encdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Mon, Jul 31, 2023 at 03:33:11PM +0530, Praveenkumar I wrote: > The QMI TLV value for strings in a lot of qmi element info structures > account for null terminated strings with MAX_LEN + 1. If a string is > actually MAX_LEN + 1 length, this will cause an out of bounds access > when the NULL character is appended in decoding. > > Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder") > Cc: stable@vger.kernel.org > Signed-off-by: Chris Lew <quic_clew@quicinc.com> > Signed-off-by: Praveenkumar I <quic_ipkumar@quicinc.com> The signed-off-by list says that Chris certified the patch's origin first, then you took it, certified the origin and submitted it to the mailing list. This matches reality, but you lost Chris' authorship in the process, please add that back. Thanks, Bjorn > --- > [v2]: > Added Fixes and Cc: stable > > drivers/soc/qcom/qmi_encdec.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c > index b7158e3c3a0b..5c7161b18b72 100644 > --- a/drivers/soc/qcom/qmi_encdec.c > +++ b/drivers/soc/qcom/qmi_encdec.c > @@ -534,8 +534,8 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array, > decoded_bytes += rc; > } > > - if (string_len > temp_ei->elem_len) { > - pr_err("%s: String len %d > Max Len %d\n", > + if (string_len >= temp_ei->elem_len) { > + pr_err("%s: String len %d >= Max Len %d\n", > __func__, string_len, temp_ei->elem_len); > return -ETOOSMALL; > } else if (string_len > tlv_len) { > -- > 2.34.1 >
On 8/1/2023 4:54 AM, Bjorn Andersson wrote: > On Mon, Jul 31, 2023 at 03:33:11PM +0530, Praveenkumar I wrote: >> The QMI TLV value for strings in a lot of qmi element info structures >> account for null terminated strings with MAX_LEN + 1. If a string is >> actually MAX_LEN + 1 length, this will cause an out of bounds access >> when the NULL character is appended in decoding. >> >> Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder") >> Cc: stable@vger.kernel.org >> Signed-off-by: Chris Lew <quic_clew@quicinc.com> >> Signed-off-by: Praveenkumar I <quic_ipkumar@quicinc.com> > The signed-off-by list says that Chris certified the patch's origin > first, then you took it, certified the origin and submitted it to the > mailing list. > > This matches reality, but you lost Chris' authorship in the process, > please add that back. Yes, you are right. Will add that, and post it. - Praveenkumar > Thanks, > Bjorn > >> --- >> [v2]: >> Added Fixes and Cc: stable >> >> drivers/soc/qcom/qmi_encdec.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c >> index b7158e3c3a0b..5c7161b18b72 100644 >> --- a/drivers/soc/qcom/qmi_encdec.c >> +++ b/drivers/soc/qcom/qmi_encdec.c >> @@ -534,8 +534,8 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array, >> decoded_bytes += rc; >> } >> >> - if (string_len > temp_ei->elem_len) { >> - pr_err("%s: String len %d > Max Len %d\n", >> + if (string_len >= temp_ei->elem_len) { >> + pr_err("%s: String len %d >= Max Len %d\n", >> __func__, string_len, temp_ei->elem_len); >> return -ETOOSMALL; >> } else if (string_len > tlv_len) { >> -- >> 2.34.1 >>
diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c index b7158e3c3a0b..5c7161b18b72 100644 --- a/drivers/soc/qcom/qmi_encdec.c +++ b/drivers/soc/qcom/qmi_encdec.c @@ -534,8 +534,8 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array, decoded_bytes += rc; } - if (string_len > temp_ei->elem_len) { - pr_err("%s: String len %d > Max Len %d\n", + if (string_len >= temp_ei->elem_len) { + pr_err("%s: String len %d >= Max Len %d\n", __func__, string_len, temp_ei->elem_len); return -ETOOSMALL; } else if (string_len > tlv_len) {