[PATCH 4/5] rpmsg: validate incoming message length before propagating

[Ohad Ben-Cohen]

When an inbound message arrives, validate its reported length before
propagating it, otherwise buggy (or malicious) remote processors might
trick us into accessing memory which we really shouldn't.

Signed-off-by: Ohad Ben-Cohen <ohad at wizery.com>
Cc: Grant Likely <grant.likely at secretlab.ca>
Cc: Arnd Bergmann <arnd at arndb.de>
Cc: Mark Grosen <mgrosen at ti.com>
Cc: Suman Anna <s-anna at ti.com>
Cc: Fernando Guzman Lugo <fernando.lugo at ti.com>
Cc: Rob Clark <rob at ti.com>
Cc: Ludovic BARRE <ludovic.barre at stericsson.com>
Cc: Loic PALLARDY <loic.pallardy at stericsson.com>
Cc: Omar Ramirez Luna <omar.luna at linaro.org>
---
 drivers/rpmsg/virtio_rpmsg_bus.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/drivers/rpmsg/virtio_rpmsg_bus.c b/drivers/rpmsg/virtio_rpmsg_bus.c
index 4db9cf8..1e8b8b6 100644
--- a/drivers/rpmsg/virtio_rpmsg_bus.c
+++ b/drivers/rpmsg/virtio_rpmsg_bus.c
@@ -778,6 +778,16 @@ static void rpmsg_recv_done(struct virtqueue *rvq)
 	print_hex_dump(KERN_DEBUG, "rpmsg_virtio RX: ", DUMP_PREFIX_NONE, 16, 1,
 					msg, sizeof(*msg) + msg->len, true);
 
+	/*
+	 * We currently use fixed-sized buffers, so trivially sanitize
+	 * the reported payload length.
+	 */
+	if (len > RPMSG_BUF_SIZE ||
+		msg->len > (len - sizeof(struct rpmsg_hdr))) {
+		dev_warn(dev, "inbound msg too big: (%d, %d)\n", len, msg->len);
+		return;
+	}
+
 	/* use the dst addr to fetch the callback of the appropriate user */
 	mutex_lock(&vrp->endpoints_lock);
 	ept = idr_find(&vrp->endpoints, msg->dst);
-- 
1.7.5.4