lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bus: mhi: misc: Add check for dev_rp if it is iommu range or not

Browse Source 
er_ctxt->rp pointer is updated by MDM which is untrusted to HLOS,
it could be arbitrary value.

If there is security issue on MDM, and updated pointer which is not
align then driver will never come out of loop where checking against
dev_rp != rp.

So added check to make sure it is in the buffer range & aligned to 128bit.

Change-Id: Ib484e07f2c75fcd657a4ccc648a3a20de3edeebc
Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com>
This commit is contained in:
Krishna chaitanya chundru 2023-07-05 14:48:10 +05:30 committed by Gerrit - the friendly Code Review server
parent 98c03480ec
commit f4a90045e0
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/bus/mhi/core/mhi_internal.h
View File

@ -809,6 +809,12 @@ static inline void mhi_trigger_resume(struct mhi_controller *mhi_cntrl)
pm_wakeup_hard_event(&mhi_cntrl->mhi_dev->dev);
}
static inline bool is_valid_ring_ptr(struct mhi_ring *ring, dma_addr_t addr)
{
return ((addr >= ring->iommu_base &&
addr < ring->iommu_base + ring->len) && (addr % 16 == 0));
}
/* queue transfer buffer */
int mhi_gen_tre(struct mhi_controller *mhi_cntrl, struct mhi_chan *mhi_chan,
void *buf, void *cb, size_t buf_len, enum MHI_FLAGS flags);

14
drivers/bus/mhi/core/mhi_main.c
View File

@ -1403,6 +1403,12 @@ int mhi_process_tsync_ev_ring(struct mhi_controller *mhi_cntrl,
int ret = 0;
spin_lock_bh(&mhi_event->lock);
if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) {
MHI_ERR("Event ring rp points outside of the event ring or unalign rp %llx\n",
er_ctxt->rp);
spin_unlock_bh(&mhi_event->lock);
return 0;
}
dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
if (ev_ring->rp == dev_rp) {
spin_unlock_bh(&mhi_event->lock);
@ -1496,8 +1502,14 @@ int mhi_process_bw_scale_ev_ring(struct mhi_controller *mhi_cntrl,
int ret = 0;
spin_lock_bh(&mhi_event->lock);
dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) {
MHI_ERR("Event ring rp points outside of the event ring or unalign rp %llx\n",
er_ctxt->rp);
spin_unlock_bh(&mhi_event->lock);
return 0;
}
dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
if (ev_ring->rp == dev_rp) {
spin_unlock_bh(&mhi_event->lock);
goto exit_bw_scale_process;