From: Bjorn Andersson <quic_bjorande@quicinc.com>
To: Hardevsinh Palaniya <hardevsinh.palaniya@siliconsignals.io>
Cc: "agross@kernel.org" <agross@kernel.org>,
"andersson@kernel.org" <andersson@kernel.org>,
Konrad Dybcio <konrad.dybcio@linaro.org>,
Mathieu Poirier <mathieu.poirier@linaro.org>,
"linux-arm-msm@vger.kernel.org" <linux-arm-msm@vger.kernel.org>,
"linux-remoteproc@vger.kernel.org"
<linux-remoteproc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] rpmsg: glink: Fix buffer overflow
Date: Wed, 13 Dec 2023 14:58:38 -0800 [thread overview]
Message-ID: <20231213225838.GQ1766637@hu-bjorande-lv.qualcomm.com> (raw)
In-Reply-To: <MA0PR01MB7145C9A06689F2C5C43A3876FF8DA@MA0PR01MB7145.INDPRD01.PROD.OUTLOOK.COM>
On Wed, Dec 13, 2023 at 03:15:15PM +0000, Hardevsinh Palaniya wrote:
> Hello [1]@Bjorn Andersson,
Please use appropriate mail list etiquette, and avoid HTML and
top-posting in your responses.
>
> "strscpy_pad" itself takes care of null-terminated strings. So, there
> will be no leak.
Your strscpy_pad() will NUL-terminate and zero-pad up to 32 bytes.
Following this the next line will write strlen(name) + sizeof(hdr) bytes
to the FIFO.
So if strlen(name) >= 32 you will read beyond the end of the zero-padded
string.
Regards,
Bjorn
> __________________________________________________________________
>
> From: Bjorn Andersson <quic_bjorande@quicinc.com>
> Sent: Tuesday, December 12, 2023 12:10 AM
> To: Hardevsinh Palaniya <hardevsinh.palaniya@siliconsignals.io>
> Cc: agross@kernel.org <agross@kernel.org>; andersson@kernel.org
> <andersson@kernel.org>; Konrad Dybcio <konrad.dybcio@linaro.org>;
> Mathieu Poirier <mathieu.poirier@linaro.org>;
> linux-arm-msm@vger.kernel.org <linux-arm-msm@vger.kernel.org>;
> linux-remoteproc@vger.kernel.org <linux-remoteproc@vger.kernel.org>;
> linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>
> Subject: Re: [PATCH] rpmsg: glink: Fix buffer overflow
>
> On Mon, Dec 11, 2023 at 09:32:20PM +0530, Hardevsinh Palaniya wrote:
> > In qcom_glink_send_open_req() remove error: strcpy() 'channel->name'
> > too large for 'req.name' (1010102 vs 32)
> >
> As far as I can tell, channel->name comes from the struct
> rpmsg_channel_info->name, which is a 32-byte array, and all code paths
> I
> can find either uses strscpy() or explicitly NUL-terminates this
> string.
> I'm curious to know which path took us here.
> > Signed-off-by: Hardevsinh Palaniya
> <hardevsinh.palaniya@siliconsignals.io>
> >
> > diff --git a/drivers/rpmsg/qcom_glink_native.c
> b/drivers/rpmsg/qcom_glink_native.c
> > index 82d460ff4777..2d6a592e1c72 100644
> > --- a/drivers/rpmsg/qcom_glink_native.c
> > +++ b/drivers/rpmsg/qcom_glink_native.c
> > @@ -479,7 +479,7 @@ static int qcom_glink_send_open_req(struct
> qcom_glink *glink,
> > req.msg.cmd = cpu_to_le16(GLINK_CMD_OPEN);
> > req.msg.param1 = cpu_to_le16(channel->lcid);
> > req.msg.param2 = cpu_to_le32(name_len);
> > - strcpy(req.name, channel->name);
> > + strscpy_pad(req.name, channel->name, sizeof(req.name));
> I think this patch is incomplete. While it makes sure we don't
> overwrite
> the stack. name_len is strlen(channel->name) + 1 and the amount of data
> sent out is based on name_len.
> As such, if you can get here with a @name of arbitrary length, then you
> can control how much of the stack we're going to now leak to the
> recipient.
> Regards,
> Bjorn
> >
> > ret = qcom_glink_tx(glink, &req, req_len, NULL, 0, true);
> > if (ret)
> > --
> > 2.25.1
> >
> >
>
> References
>
> 1. mailto:quic_bjorande@quicinc.com
prev parent reply other threads:[~2023-12-13 22:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-11 16:02 [PATCH] rpmsg: glink: Fix buffer overflow Hardevsinh Palaniya
2023-12-11 18:40 ` Bjorn Andersson
[not found] ` <MA0PR01MB7145C9A06689F2C5C43A3876FF8DA@MA0PR01MB7145.INDPRD01.PROD.OUTLOOK.COM>
2023-12-13 22:58 ` Bjorn Andersson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231213225838.GQ1766637@hu-bjorande-lv.qualcomm.com \
--to=quic_bjorande@quicinc.com \
--cc=agross@kernel.org \
--cc=andersson@kernel.org \
--cc=hardevsinh.palaniya@siliconsignals.io \
--cc=konrad.dybcio@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-remoteproc@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.