diff options
| author | Pindar Yang <pindaryang@google.com> | 2023-11-22 16:58:04 +0800 |
|---|---|---|
| committer | Pindar Yang <pindaryang@google.com> | 2023-11-22 16:58:04 +0800 |
| commit | 6283e60455dd7382e9151cf772aaa79d3ebcc6a4 (patch) | |
| tree | 43a77505ede36f0e3d8ef978fdcf9321739efe53 | |
| parent | 4017eeae38f06849857a06efb344f25c98ddc0f0 (diff) | |
| download | msm-android-14.0.0_r0.46.tar.gz | |
bus: mhi: misc: Add check for dev_rp if it is iommu range or notandroid-14.0.0_r0.46android-msm-redbull-4.19-android14-qpr1
er_ctxt->rp pointer is updated by MDM which is untrusted to HLOS,
it could be arbitrary value.
If there is security issue on MDM, and updated pointer which is not
align then driver will never come out of loop where checking against
dev_rp != rp.
So added check to make sure it is in the buffer range & aligned to 128bit.
Bug: 303101658
CRs-Fixed: 3545432
Change-Id: Ib484e07f2c75fcd657a4ccc648a3a20de3edeebc
Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com>
Signed-off-by: Paras Sharma <quic_parass@quicinc.com>
Signed-off-by: Pindar Yang <pindaryang@google.com>
| -rw-r--r-- | drivers/bus/mhi/core/mhi_internal.h | 6 | ||||
| -rw-r--r-- | drivers/bus/mhi/core/mhi_main.c | 16 |
2 files changed, 21 insertions, 1 deletions
diff --git a/drivers/bus/mhi/core/mhi_internal.h b/drivers/bus/mhi/core/mhi_internal.h index f078adc92207..001a944d7f6c 100644 --- a/drivers/bus/mhi/core/mhi_internal.h +++ b/drivers/bus/mhi/core/mhi_internal.h @@ -808,6 +808,12 @@ static inline void mhi_trigger_resume(struct mhi_controller *mhi_cntrl) pm_wakeup_hard_event(&mhi_cntrl->mhi_dev->dev); } +static inline bool is_valid_ring_ptr(struct mhi_ring *ring, dma_addr_t addr) +{ + return ((addr >= ring->iommu_base && + addr < ring->iommu_base + ring->len) && (addr % 16 == 0)); +} + /* queue transfer buffer */ int mhi_gen_tre(struct mhi_controller *mhi_cntrl, struct mhi_chan *mhi_chan, void *buf, void *cb, size_t buf_len, enum MHI_FLAGS flags); diff --git a/drivers/bus/mhi/core/mhi_main.c b/drivers/bus/mhi/core/mhi_main.c index de4cfdb8823f..946b24e2e1df 100644 --- a/drivers/bus/mhi/core/mhi_main.c +++ b/drivers/bus/mhi/core/mhi_main.c @@ -1385,6 +1385,13 @@ int mhi_process_tsync_ev_ring(struct mhi_controller *mhi_cntrl, int ret = 0; spin_lock_bh(&mhi_event->lock); + if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) { + MHI_ERR( + "Event ring rp points outside of the event ring or unalign rp %llx\n", + er_ctxt->rp); + spin_unlock_bh(&mhi_event->lock); + return 0; + } dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); if (ev_ring->rp == dev_rp) { spin_unlock_bh(&mhi_event->lock); @@ -1477,8 +1484,15 @@ int mhi_process_bw_scale_ev_ring(struct mhi_controller *mhi_cntrl, int result, ret = 0; spin_lock_bh(&mhi_event->lock); - dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); + if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) { + MHI_ERR( + "Event ring rp points outside of the event ring or unalign rp %llx\n", + er_ctxt->rp); + spin_unlock_bh(&mhi_event->lock); + return 0; + } + dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); if (ev_ring->rp == dev_rp) { spin_unlock_bh(&mhi_event->lock); goto exit_bw_scale_process; |