From: Bjorn Andersson <quic_bjorande@quicinc.com>
To: Hardevsinh Palaniya <hardevsinh.palaniya@siliconsignals.io>
Cc: "agross@kernel.org" <agross@kernel.org>,
"andersson@kernel.org" <andersson@kernel.org>,
Konrad Dybcio <konrad.dybcio@linaro.org>,
Mathieu Poirier <mathieu.poirier@linaro.org>,
"linux-arm-msm@vger.kernel.org" <linux-arm-msm@vger.kernel.org>,
"linux-remoteproc@vger.kernel.org"
<linux-remoteproc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] rpmsg: glink: Fix buffer overflow
Date: Wed, 13 Dec 2023 14:58:38 -0800 [thread overview]
Message-ID: <20231213225838.GQ1766637@hu-bjorande-lv.qualcomm.com> (raw)
In-Reply-To: <MA0PR01MB7145C9A06689F2C5C43A3876FF8DA@MA0PR01MB7145.INDPRD01.PROD.OUTLOOK.COM>
On Wed, Dec 13, 2023 at 03:15:15PM +0000, Hardevsinh Palaniya wrote:
> Hello [1]@Bjorn Andersson,
Please use appropriate mail list etiquette, and avoid HTML and
top-posting in your responses.
>
> "strscpy_pad" itself takes care of null-terminated strings. So, there
> will be no leak.
Your strscpy_pad() will NUL-terminate and zero-pad up to 32 bytes.
Following this the next line will write strlen(name) + sizeof(hdr) bytes
to the FIFO.
So if strlen(name) >= 32 you will read beyond the end of the zero-padded
string.
Regards,
Bjorn
> __________________________________________________________________
>
> From: Bjorn Andersson <quic_bjorande@quicinc.com>
> Sent: Tuesday, December 12, 2023 12:10 AM
> To: Hardevsinh Palaniya <hardevsinh.palaniya@siliconsignals.io>
> Cc: agross@kernel.org <agross@kernel.org>; andersson@kernel.org
> <andersson@kernel.org>; Konrad Dybcio <konrad.dybcio@linaro.org>;
> Mathieu Poirier <mathieu.poirier@linaro.org>;
> linux-arm-msm@vger.kernel.org <linux-arm-msm@vger.kernel.org>;
> linux-remoteproc@vger.kernel.org <linux-remoteproc@vger.kernel.org>;
> linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>
> Subject: Re: [PATCH] rpmsg: glink: Fix buffer overflow
>
> On Mon, Dec 11, 2023 at 09:32:20PM +0530, Hardevsinh Palaniya wrote:
> > In qcom_glink_send_open_req() remove error: strcpy() 'channel->name'
> > too large for 'req.name' (1010102 vs 32)
> >
> As far as I can tell, channel->name comes from the struct
> rpmsg_channel_info->name, which is a 32-byte array, and all code paths
> I
> can find either uses strscpy() or explicitly NUL-terminates this
> string.
> I'm curious to know which path took us here.
> > Signed-off-by: Hardevsinh Palaniya
> <hardevsinh.palaniya@siliconsignals.io>
> >
> > diff --git a/drivers/rpmsg/qcom_glink_native.c
> b/drivers/rpmsg/qcom_glink_native.c
> > index 82d460ff4777..2d6a592e1c72 100644
> > --- a/drivers/rpmsg/qcom_glink_native.c
> > +++ b/drivers/rpmsg/qcom_glink_native.c
> > @@ -479,7 +479,7 @@ static int qcom_glink_send_open_req(struct
> qcom_glink *glink,
> > req.msg.cmd = cpu_to_le16(GLINK_CMD_OPEN);
> > req.msg.param1 = cpu_to_le16(channel->lcid);
> > req.msg.param2 = cpu_to_le32(name_len);
> > - strcpy(req.name, channel->name);
> > + strscpy_pad(req.name, channel->name, sizeof(req.name));
> I think this patch is incomplete. While it makes sure we don't
> overwrite
> the stack. name_len is strlen(channel->name) + 1 and the amount of data
> sent out is based on name_len.
> As such, if you can get here with a @name of arbitrary length, then you
> can control how much of the stack we're going to now leak to the
> recipient.
> Regards,
> Bjorn
> >
> > ret = qcom_glink_tx(glink, &req, req_len, NULL, 0, true);
> > if (ret)
> > --
> > 2.25.1
> >
> >
>
> References
>
> 1. mailto:quic_bjorande@quicinc.com
prev parent reply other threads:[~2023-12-13 22:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-11 16:02 [PATCH] rpmsg: glink: Fix buffer overflow Hardevsinh Palaniya
2023-12-11 18:40 ` Bjorn Andersson
[not found] ` <MA0PR01MB7145C9A06689F2C5C43A3876FF8DA@MA0PR01MB7145.INDPRD01.PROD.OUTLOOK.COM>
2023-12-13 22:58 ` Bjorn Andersson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231213225838.GQ1766637@hu-bjorande-lv.qualcomm.com \
--to=quic_bjorande@quicinc.com \
--cc=agross@kernel.org \
--cc=andersson@kernel.org \
--cc=hardevsinh.palaniya@siliconsignals.io \
--cc=konrad.dybcio@linaro.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-remoteproc@vger.kernel.org \
--cc=mathieu.poirier@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).