Re: [PATCH v3 1/4] thunderbolt: property: reject u32 wrap in tb_property_entry_valid()

Next message: Andy Shevchenko: "Re: [PATCH v3 2/4] thunderbolt: property: reject dir_len &lt; 4 to prevent size_t underflow"
Previous message: Geert Uytterhoeven: "Re: [PATCH RFC 1/2] regulator: dt-bindings: raa215300: add clock output"
In reply to: Michael Bommarito: "[PATCH v3 1/4] thunderbolt: property: reject u32 wrap in tb_property_entry_valid()"
Next in thread: Michael Bommarito: "[PATCH v3 2/4] thunderbolt: property: reject dir_len &lt; 4 to prevent size_t underflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Mon May 04 2026 - 05:02:24 EST

On Sun, May 03, 2026 at 10:15:05AM -0400, Michael Bommarito wrote:
> entry->value is u32 and entry->length is u16; the sum is performed in
> u32 and wraps. A malicious XDomain peer can pick
> value = 0xffffff00, length = 0x100 so the sum 0x100000000 wraps to 0
> and passes the > block_len check. tb_property_parse() then passes
> entry->value to parse_dwdata() as a dword offset into the property
> block, reading attacker-directed memory far past the allocation.
>
> For TEXT-typed entries with the "deviceid" or "vendorid" keys this
> lands in xd->device_name / xd->vendor_name and is readable back via
> the per-XDomain device_name / vendor_name sysfs attributes; the leak
> is NUL-bounded (kstrdup() stops at the first zero byte) and
> untargeted (the attacker picks a delta, not an absolute address).
> DATA-typed entries are parsed into property->value.data but not
> generically surfaced to userspace.
>
> Use check_add_overflow() so a wrapped sum is rejected.

...

> + if (check_add_overflow(entry->value, (u32)entry->length, &end) ||

Why is casting needed?

> + end > block_len)
> return false;

--
With Best Regards,
Andy Shevchenko