[PATCH 4.4 04/14] platform/chrome: cros_ec_dev - Fix security issue

From: Greg Kroah-Hartman
Date: Mon Mar 22 2021 - 09:05:51 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.4 05/14] btrfs: fix race when cloning extent buffer during rewind of an old root"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 03/14] ext4: check journal inode extents more carefully"
In reply to: Greg Kroah-Hartman: "[PATCH 4.4 03/14] ext4: check journal inode extents more carefully"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.4 05/14] btrfs: fix race when cloning extent buffer during rewind of an old root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Gwendal Grignou <gwendal@xxxxxxxxxxxx>

commit 5d749d0bbe811c10d9048cde6dfebc761713abfd upstream.

Prevent memory scribble by checking that ioctl buffer size parameters
are sane.
Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and
.outsize the amount to scribble, we would overflow, allocate a small
amounts and be able to write outside of the malloc'ed area.
Adding a hard limit allows argument checking of the ioctl. With the
current EC, it is expected .insize and .outsize to be at around 512 bytes
or less.

Signed-off-by: Gwendal Grignou <gwendal@xxxxxxxxxxxx>
Signed-off-by: Olof Johansson <olof@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/platform/chrome/cros_ec_dev.c | 4 ++++
drivers/platform/chrome/cros_ec_proto.c | 4 ++--
include/linux/mfd/cros_ec.h | 6 ++++--
3 files changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/platform/chrome/cros_ec_dev.c
+++ b/drivers/platform/chrome/cros_ec_dev.c
@@ -137,6 +137,10 @@ static long ec_device_ioctl_xcmd(struct
if (copy_from_user(&u_cmd, arg, sizeof(u_cmd)))
return -EFAULT;

+ if ((u_cmd.outsize > EC_MAX_MSG_BYTES) ||
+ (u_cmd.insize > EC_MAX_MSG_BYTES))
+ return -EINVAL;
+
s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
GFP_KERNEL);
if (!s_cmd)
--- a/drivers/platform/chrome/cros_ec_proto.c
+++ b/drivers/platform/chrome/cros_ec_proto.c
@@ -311,8 +311,8 @@ int cros_ec_query_all(struct cros_ec_dev
ec_dev->max_response = EC_PROTO2_MAX_PARAM_SIZE;
ec_dev->max_passthru = 0;
ec_dev->pkt_xfer = NULL;
- ec_dev->din_size = EC_MSG_BYTES;
- ec_dev->dout_size = EC_MSG_BYTES;
+ ec_dev->din_size = EC_PROTO2_MSG_BYTES;
+ ec_dev->dout_size = EC_PROTO2_MSG_BYTES;
} else {
/*
* It's possible for a test to occur too early when
--- a/include/linux/mfd/cros_ec.h
+++ b/include/linux/mfd/cros_ec.h
@@ -50,9 +50,11 @@ enum {
EC_MSG_TX_TRAILER_BYTES,
EC_MSG_RX_PROTO_BYTES = 3,

- /* Max length of messages */
- EC_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE +
+ /* Max length of messages for proto 2*/
+ EC_PROTO2_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE +
EC_MSG_TX_PROTO_BYTES,
+
+ EC_MAX_MSG_BYTES = 64 * 1024,
};

/*

Next message: Greg Kroah-Hartman: "[PATCH 4.4 05/14] btrfs: fix race when cloning extent buffer during rewind of an old root"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 03/14] ext4: check journal inode extents more carefully"
In reply to: Greg Kroah-Hartman: "[PATCH 4.4 03/14] ext4: check journal inode extents more carefully"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.4 05/14] btrfs: fix race when cloning extent buffer during rewind of an old root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]