Re: [PATCH 0/6] thunderbolt: harden XDomain property exchange

[Mika Westerberg]

Hi,

On Mon, May 25, 2026 at 05:28:24AM -0400, Michael Bommarito wrote:
> This series fixes 4 memory-safety defects and 1 data-handling
> hardening issue in the Thunderbolt XDomain property exchange path
> (property.c and xdomain.c) and adds KUnit regression tests.
> All are reachable from an adjacent Thunderbolt peer without
> authentication.  The XDomain protocol runs automatically on cable
> insertion regardless of the configured security level, unless
> disabled with thunderbolt.xdomain=0.
> 
> Patches:
> 
>   1/6 - reject zero-length property entries in validator
>   2/6 - bound root directory content to block size
>   3/6 - clamp XDomain response data copy to allocation size
>   4/6 - validate XDomain request packet size before type cast
>   5/6 - limit XDomain response copy to actual frame size
>   6/6 - add KUnit tests for property parser bounds checks
> 
> Tested with KASAN on v7.1-rc3 and over Thunderbolt 4 hardware.
> KUnit regression tests (patch 6) confirm the fixes and existing
> tb_test_property_* tests pass on the patched tree.
> 
> Based-on: thunderbolt/fixes (928abe19fbf01)
> 
> Michael Bommarito (6):
>   thunderbolt: reject zero-length property entries in validator
>   thunderbolt: bound root directory content to block size
>   thunderbolt: clamp XDomain response data copy to allocation size
>   thunderbolt: validate XDomain request packet size before type cast
>   thunderbolt: limit XDomain response copy to actual frame size

All these applied to thunderbolt.git/fixes.

>   thunderbolt: test: add KUnit tests for property parser bounds checks

This one applied to thunderbolt.git/next.

Thanks!