Re: [PATCH v7 3/8] bus: mhi: core: Add range check for channel id received in event ring

Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx> · Sat, 9 May 2020 11:18:47 +0530



On Fri, May 08, 2020 at 07:26:43PM -0700, Bhaumik Bhatt wrote:
> From: Hemant Kumar <hemantk@xxxxxxxxxxxxxx>
> 
> MHI data completion handler function reads channel id from event
> ring element. Value is under the control of MHI devices and can be
> any value between 0 and 255. In order to prevent out of bound access
> add a bound check against the max channel supported by controller
> and skip processing of that event ring element.
> 
> Signed-off-by: Hemant Kumar <hemantk@xxxxxxxxxxxxxx>
> Signed-off-by: Bhaumik Bhatt <bbhatt@xxxxxxxxxxxxxx>
> Reviewed-by: Jeffrey Hugo <jhugo@xxxxxxxxxxxxxx>

Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx>

Thanks,
Mani

> ---
>  drivers/bus/mhi/core/main.c | 40 +++++++++++++++++++++++++++++-----------
>  1 file changed, 29 insertions(+), 11 deletions(-)
> 
> diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c
> index 605640c..30798ec 100644
> --- a/drivers/bus/mhi/core/main.c
> +++ b/drivers/bus/mhi/core/main.c
> @@ -775,9 +775,18 @@ int mhi_process_ctrl_ev_ring(struct mhi_controller *mhi_cntrl,
>  		}
>  		case MHI_PKT_TYPE_TX_EVENT:
>  			chan = MHI_TRE_GET_EV_CHID(local_rp);
> -			mhi_chan = &mhi_cntrl->mhi_chan[chan];
> -			parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
> -			event_quota--;
> +
> +			WARN_ON(chan >= mhi_cntrl->max_chan);
> +
> +			/*
> +			 * Only process the event ring elements whose channel
> +			 * ID is within the maximum supported range.
> +			 */
> +			if (chan < mhi_cntrl->max_chan) {
> +				mhi_chan = &mhi_cntrl->mhi_chan[chan];
> +				parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
> +				event_quota--;
> +			}
>  			break;
>  		default:
>  			dev_err(dev, "Unhandled event type: %d\n", type);
> @@ -820,14 +829,23 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl,
>  		enum mhi_pkt_type type = MHI_TRE_GET_EV_TYPE(local_rp);
>  
>  		chan = MHI_TRE_GET_EV_CHID(local_rp);
> -		mhi_chan = &mhi_cntrl->mhi_chan[chan];
> -
> -		if (likely(type == MHI_PKT_TYPE_TX_EVENT)) {
> -			parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
> -			event_quota--;
> -		} else if (type == MHI_PKT_TYPE_RSC_TX_EVENT) {
> -			parse_rsc_event(mhi_cntrl, local_rp, mhi_chan);
> -			event_quota--;
> +
> +		WARN_ON(chan >= mhi_cntrl->max_chan);
> +
> +		/*
> +		 * Only process the event ring elements whose channel
> +		 * ID is within the maximum supported range.
> +		 */
> +		if (chan < mhi_cntrl->max_chan) {
> +			mhi_chan = &mhi_cntrl->mhi_chan[chan];
> +
> +			if (likely(type == MHI_PKT_TYPE_TX_EVENT)) {
> +				parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
> +				event_quota--;
> +			} else if (type == MHI_PKT_TYPE_RSC_TX_EVENT) {
> +				parse_rsc_event(mhi_cntrl, local_rp, mhi_chan);
> +				event_quota--;
> +			}
>  		}
>  
>  		mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring);
> -- 
> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
> a Linux Foundation Collaborative Project