Re: [PATCH v3 3/4] thunderbolt: property: cap recursion depth in __tb_property_parse_dir()

Next message: Andy Shevchenko: "Re: [PATCH v4 7/8] iio: light: si1133: add local variable for timeout"
Previous message: Joshua Crofts: "Re: [PATCH v4 7/8] iio: light: si1133: add local variable for timeout"
In reply to: Michael Bommarito: "[PATCH v3 3/4] thunderbolt: property: cap recursion depth in __tb_property_parse_dir()"
Next in thread: Michael Bommarito: "Re: [PATCH v3 3/4] thunderbolt: property: cap recursion depth in __tb_property_parse_dir()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Mon May 04 2026 - 05:04:59 EST

On Sun, May 03, 2026 at 10:15:07AM -0400, Michael Bommarito wrote:
> A DIRECTORY entry's value field is used as the dir_offset for a
> recursive call into __tb_property_parse_dir() with no depth counter.
> A crafted peer that chains DIRECTORY entries into a back-reference
> loop drives the parser until the kernel stack is exhausted and the
> guard page fires. Any untrusted XDomain peer (cable, dock, in-line
> inspector, adjacent host) that reaches the PROPERTIES_REQUEST
> control-plane exchange can trigger this without authentication.
>
> Thread a depth counter through tb_property_parse() and
> __tb_property_parse_dir(), and reject blocks that exceed
> TB_PROPERTY_MAX_DEPTH = 8. That is comfortably larger than any
> observed legitimate XDomain layout.
>
> Operators who do not need XDomain host-to-host discovery can disable
> the path entirely with thunderbolt.xdomain=0 on the kernel command
> line.

...

> for (i = 0; i < nentries; i++) {
> struct tb_property *property;
>
> - property = tb_property_parse(block, block_len, &entries[i]);
> + property = tb_property_parse(block, block_len, &entries[i],
> + depth);

I would leave this on a single line (yes, slightly longer than 80 characters).

> if (!property) {
> tb_property_free_dir(dir);
> return NULL;

--
With Best Regards,
Andy Shevchenko