Commit c5f338c4 authored by Johan Hovold's avatar Johan Hovold Committed by Greg Kroah-Hartman

greybus: uart: fix incomplete receive-data sanity checks

Fix incomplete receive-data sanity checks.

The payload size was never verified before parsing the uart header and
neither was the uart-header data size verified against the actual
payload size, something which could lead to information leaks when
passing data beyond the payload buffer to the tty layer.

Also remove the incorrect check against the maximum (tx-buffer) payload
size.
Reviewed-by: default avatarRui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: default avatarJohan Hovold <johan@hovoldconsulting.com>
Reviewed-by: default avatarBryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
parent cb7f00ba
...@@ -65,18 +65,36 @@ static DEFINE_IDR(tty_minors); ...@@ -65,18 +65,36 @@ static DEFINE_IDR(tty_minors);
static DEFINE_MUTEX(table_lock); static DEFINE_MUTEX(table_lock);
static atomic_t reference_count = ATOMIC_INIT(0); static atomic_t reference_count = ATOMIC_INIT(0);
static int gb_uart_receive_data(struct gb_tty *gb_tty, static int gb_uart_receive_data_handler(struct gb_operation *op)
struct gb_connection *connection,
struct gb_uart_recv_data_request *receive_data)
{ {
struct gb_connection *connection = op->connection;
struct gb_tty *gb_tty = connection->private;
struct tty_port *port = &gb_tty->port; struct tty_port *port = &gb_tty->port;
struct gb_message *request = op->request;
struct gb_uart_recv_data_request *receive_data;
u16 recv_data_size; u16 recv_data_size;
int count; int count;
unsigned long tty_flags = TTY_NORMAL; unsigned long tty_flags = TTY_NORMAL;
count = gb_tty->buffer_payload_max - sizeof(*receive_data); if (request->payload_size < sizeof(*receive_data)) {
dev_err(&connection->bundle->dev,
"short receive-data request received (%zu < %zu)\n",
request->payload_size, sizeof(*receive_data));
return -EINVAL;
}
receive_data = op->request->payload;
recv_data_size = le16_to_cpu(receive_data->size); recv_data_size = le16_to_cpu(receive_data->size);
if (!recv_data_size || recv_data_size > count)
if (recv_data_size != request->payload_size - sizeof(*receive_data)) {
dev_err(&connection->bundle->dev,
"malformed receive-data request received (%u != %zu)\n",
recv_data_size,
request->payload_size - sizeof(*receive_data));
return -EINVAL;
}
if (!recv_data_size)
return -EINVAL; return -EINVAL;
if (receive_data->flags) { if (receive_data->flags) {
...@@ -126,14 +144,11 @@ static int gb_uart_serial_state_handler(struct gb_operation *op) ...@@ -126,14 +144,11 @@ static int gb_uart_serial_state_handler(struct gb_operation *op)
static int gb_uart_request_recv(u8 type, struct gb_operation *op) static int gb_uart_request_recv(u8 type, struct gb_operation *op)
{ {
struct gb_connection *connection = op->connection; struct gb_connection *connection = op->connection;
struct gb_tty *gb_tty = connection->private;
struct gb_message *request = op->request;
int ret; int ret;
switch (type) { switch (type) {
case GB_UART_TYPE_RECEIVE_DATA: case GB_UART_TYPE_RECEIVE_DATA:
ret = gb_uart_receive_data(gb_tty, connection, ret = gb_uart_receive_data_handler(op);
request->payload);
break; break;
case GB_UART_TYPE_SERIAL_STATE: case GB_UART_TYPE_SERIAL_STATE:
ret = gb_uart_serial_state_handler(op); ret = gb_uart_serial_state_handler(op);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment