[PATCH 3/6] thunderbolt: clamp XDomain response data copy to allocation size

Next message: Dmitry Baryshkov: "Re: [PATCH 10/16] arm64: dts: qcom: shikra-cqm: Enable CDSP, LPAICP and MPSS"
Previous message: Michael Bommarito: "[PATCH 2/6] thunderbolt: bound root directory content to block size"
In reply to: Michael Bommarito: "[PATCH 2/6] thunderbolt: bound root directory content to block size"
Next in thread: Michael Bommarito: "[PATCH 5/6] thunderbolt: limit XDomain response copy to actual frame size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Bommarito

Date: Mon May 25 2026 - 05:30:55 EST

tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.

Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.

Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
---
Confirmed over Thunderbolt 4 cable (Framework -> Dell, stock Ubuntu
26.04 7.0.0-15-generic).

Also reproduced with KASAN on QEMU (7.1.0-rc3):

BUG: KASAN: slab-out-of-bounds in
tb_test_synthetic_overflow.cold+0x131/0x29a
Write of size 192 at addr ffff888002110200

drivers/thunderbolt/xdomain.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
index 754808c43f006..4099419c74795 100644
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -393,6 +393,8 @@ static int tb_xdp_properties_request(struct tb_ctl *ctl, u64 route,
}
}

+ if (req.offset + len > data_len)
+ len = data_len - req.offset;
memcpy(data + req.offset, res->data, len * 4);
req.offset += len;
} while (!data_len || req.offset < data_len);
--
2.53.0