Re: [PATCH] thunderbolt: fix a missing-check bug

From: Mika Westerberg
Date: Mon Oct 22 2018 - 04:06:19 EST

Next message: Christoph Hellwig: "[GIT PULL] first round of dma mapping updates for 4.20"
Previous message: Ben Hutchings: "Linux 3.16.60"
In reply to: Wenwen Wang: "[PATCH] thunderbolt: fix a missing-check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Oct 20, 2018 at 03:15:56PM -0500, Wenwen Wang wrote:
> In tb_ring_poll(), the flag of the frame, i.e.,
> 'ring->descriptors[ring->tail].flags', is checked to see whether the frame
> is completed. If yes, the frame including the flag will be read from the
> ring and returned to the caller. The problem here is that the flag is
> actually in a DMA region, which is allocated through dma_alloc_coherent()
> in tb_ring_alloc(). Given that the device can also access this DMA region,
> it is possible that a malicious device controlled by an attacker can modify
> the flag between the check and the copy. By doing so, the attacker can
> bypass the check and supply uncompleted frame, which can cause undefined
> behavior of the kernel and introduce potential security risk.
>
> This patch firstly copies the flag into a local variable 'desc_flags' and
> then performs the check and copy using 'desc_flags'. Through this way, the
> above issue can be avoided.

Same here :)

Next message: Christoph Hellwig: "[GIT PULL] first round of dma mapping updates for 4.20"
Previous message: Ben Hutchings: "Linux 3.16.60"
In reply to: Wenwen Wang: "[PATCH] thunderbolt: fix a missing-check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]