[PATCH 2/5 v4] accel/qaic: tighten bounds checking in decode_message()
Jeffrey Hugo
quic_jhugo at quicinc.com
Fri Jul 14 16:05:53 UTC 2023
On 7/14/2023 5:42 AM, Pranjal Ramajor Asha Kanojiya wrote:
>
>
> On 7/11/2023 1:50 PM, Dan Carpenter wrote:
>> Copy the bounds checking from encode_message() to decode_message().
>>
>> This patch addresses the following concerns. Ensure that there is
>> enough space for at least one header so that we don't have a negative
>> size later.
>>
>> if (msg_hdr_len < sizeof(*trans_hdr))
>>
>> Ensure that we have enough space to read the next header from the
>> msg->data.
>>
>> if (msg_len > msg_hdr_len - sizeof(*trans_hdr))
>> return -EINVAL;
>>
>> Check that the trans_hdr->len is not below the minimum size:
>>
>> if (hdr_len < sizeof(*trans_hdr))
>>
>> This minimum check ensures that we don't corrupt memory in
>> decode_passthrough() when we do.
>>
>> memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr));
>>
>> And finally, use size_add() to prevent an integer overflow:
>>
>> if (size_add(msg_len, hdr_len) > msg_hdr_len)
>>
>> Fixes: 129776ac2e38 ("accel/qaic: Add control path")
>> Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>
>
> Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy at quicinc.com>
Pushed to drm-misc-fixes
-Jeff
More information about the dri-devel
mailing list