bus: mhi: core: Read transfer length from an event properly - blaster4385/linux-IllusionX - Linux kernel with personal config changes for arch linux

diff options

author	Hemant Kumar <[email protected]>	2020-05-21 22:32:39 +0530
committer	Greg Kroah-Hartman <[email protected]>	2020-05-22 09:35:41 +0200
commit	ee75cedf82d832561af8ba8380aeffd00a9eea77 (patch)
tree	7d032ce23f57f49bd86f96d5abc1bb6cc313c286 /tools/perf/scripts
parent	020960685041fc09ab6a23cf244477cdcbb75c5f (diff)

bus: mhi: core: Read transfer length from an event properly

When MHI Driver receives an EOT event, it reads xfer_len from the event in the last TRE. The value is under control of the MHI device and never validated by Host MHI driver. The value should never be larger than the real size of the buffer but a malicious device can set the value 0xFFFF as maximum. This causes driver to memory overflow (both read or write). Fix this issue by reading minimum of transfer length from event and the buffer length provided. Signed-off-by: Hemant Kumar <[email protected]> Signed-off-by: Bhaumik Bhatt <[email protected]> Reviewed-by: Jeffrey Hugo <[email protected]> Reviewed-by: Manivannan Sadhasivam <[email protected]> Signed-off-by: Manivannan Sadhasivam <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

Diffstat (limited to 'tools/perf/scripts')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: