[PATCH 4/5] rpmsg: validate incoming message length before propagating
Ohad Ben-Cohen
ohad at wizery.com
Tue Feb 28 12:21:11 EST 2012
When an inbound message arrives, validate its reported length before
propagating it, otherwise buggy (or malicious) remote processors might
trick us into accessing memory which we really shouldn't.
Signed-off-by: Ohad Ben-Cohen <ohad at wizery.com>
Cc: Grant Likely <grant.likely at secretlab.ca>
Cc: Arnd Bergmann <arnd at arndb.de>
Cc: Mark Grosen <mgrosen at ti.com>
Cc: Suman Anna <s-anna at ti.com>
Cc: Fernando Guzman Lugo <fernando.lugo at ti.com>
Cc: Rob Clark <rob at ti.com>
Cc: Ludovic BARRE <ludovic.barre at stericsson.com>
Cc: Loic PALLARDY <loic.pallardy at stericsson.com>
Cc: Omar Ramirez Luna <omar.luna at linaro.org>
---
drivers/rpmsg/virtio_rpmsg_bus.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
index 4db9cf8..1e8b8b6 100644
--- a/drivers/rpmsg/virtio_rpmsg_bus.c
+++ b/drivers/rpmsg/virtio_rpmsg_bus.c
@@ -778,6 +778,16 @@ static void rpmsg_recv_done(struct virtqueue *rvq)
print_hex_dump(KERN_DEBUG, "rpmsg_virtio RX: ", DUMP_PREFIX_NONE, 16, 1,
msg, sizeof(*msg) + msg->len, true);
+ /*
+ * We currently use fixed-sized buffers, so trivially sanitize
+ * the reported payload length.
+ */
+ if (len > RPMSG_BUF_SIZE ||
+ msg->len > (len - sizeof(struct rpmsg_hdr))) {
+ dev_warn(dev, "inbound msg too big: (%d, %d)\n", len, msg->len);
+ return;
+ }
+
/* use the dst addr to fetch the callback of the appropriate user */
mutex_lock(&vrp->endpoints_lock);
ept = idr_find(&vrp->endpoints, msg->dst);
--
1.7.5.4
More information about the linux-arm-kernel
mailing list