driver/usb: Fix buffer overflow issue detected by KASAN

Fix stack-out-of-bounds issue detected by KASAN, which could result in random kernel memory corruptions: [685:tcpc_event_type]================================================================== [685:tcpc_event_type]BUG: KASAN: stack-out-of-bounds in mt6360_transmit+0xec/0x260 [685:tcpc_event_type]Write of size 28 at addr ffffffe6ca09f963 by task tcpc_event_type/685 [685:tcpc_event_type] [685:tcpc_event_type]CPU: 1 PID: 685 Comm: tcpc_event_type Tainted: G S W O 4.14.186+ #1 [685:tcpc_event_type]Hardware name: MT6853V/NZA (DT) [685:tcpc_event_type]Call trace: [685:tcpc_event_type] dump_backtrace+0x0/0x374 [685:tcpc_event_type] show_stack+0x20/0x2c [685:tcpc_event_type] dump_stack+0x148/0x1b8 [685:tcpc_event_type] print_address_description+0x70/0x248 [685:tcpc_event_type] __kasan_report+0x150/0x180 [685:tcpc_event_type] kasan_report+0x10/0x18 [685:tcpc_event_type] check_memory_region+0x18c/0x198 [685:tcpc_event_type] memcpy+0x48/0x68 [685:tcpc_event_type] mt6360_transmit+0xec/0x260 [685:tcpc_event_type] tcpci_transmit+0xb8/0xe4 [685:tcpc_event_type] pd_send_message+0x238/0x388 [685:tcpc_event_type] pd_reply_svdm_request+0x1f0/0x2f8 [685:tcpc_event_type] pd_dpm_ufp_request_id_info+0xcc/0x188 [685:tcpc_event_type] pe_ufp_vdm_get_identity_entry+0x1c/0x28 [685:tcpc_event_type] pd_handle_event+0x3cc/0x74c [685:tcpc_event_type] pd_policy_enGine_run+0x18c/0x748 [685:tcpc_event_type] tcpc_event_thread_fn+0x1b4/0x32c [685:tcpc_event_type] kthread+0x2a8/0x2c0 [685:tcpc_event_type] ret_from_fork+0x10/0x18 [685:tcpc_event_type]================================================================== Change-Id: I25ee1b2457592d470619f3bea1fb3fc1a2bc678c Reviewed-on: https://gerrit.mot.com/2320832 SME-Granted: SME Approvals Granted SLTApproved: Slta Waiver Reviewed-by: Murilo Alves <alvesm@motorola.com> Reviewed-by: Gilberto Gambugge Neto <gambugge@motorola.com> Tested-by: Jira Key Submit-Approved: Jira Key Signed-off-by: Murilo Alves <alvesm@motorola.com> Reviewed-on: https://gerrit.mot.com/2334041 Reviewed-by: Rafael Ortolan <rafones@motorola.com> Reviewed-by: Zhihong Kang <kangzh@motorola.com>
2022-07-01 13:29:51 -03:00
parent b7f275383a
commit 244a84a926
2 changed files with 4 additions and 4 deletions
--- a/drivers/misc/mediatek/typec/tcpc/tcpc_mt6360.c
+++ b/drivers/misc/mediatek/typec/tcpc/tcpc_mt6360.c
@@ -2121,9 +2121,9 @@ static int mt6360_set_bist_carrier_mode(struct tcpc_device *tcpc, u8 pattern)
 	return 0;
 }

-/* message header (2byte) + data object (7*4) */
+/* transmit count (1byte) + message header (2byte) + data object (7*4) */
 #define MT6360_TRANSMIT_MAX_SIZE \
-	(sizeof(u16) + sizeof(u32) * 7)
+	(1 + sizeof(u16) + sizeof(u32) * 7)

 #ifdef CONFIG_USB_PD_RETRY_CRC_DISCARD
 static int mt6360_retransmit(struct tcpc_device *tcpc)
--- a/drivers/misc/mediatek/typec/tcpc/tcpc_mt6362.c
+++ b/drivers/misc/mediatek/typec/tcpc/tcpc_mt6362.c
@@ -1576,8 +1576,8 @@ static int mt6362_get_message(struct tcpc_device *tcpc, u32 *payload,
 	return ret;
 }

-/* message header (2byte) + data object (7*4) */
-#define MT6362_TRANSMIT_MAX_SIZE	(sizeof(u16) + sizeof(u32) * 7)
+/* transmit count (1byte) + message header (2byte) + data object (7*4) */
+#define MT6362_TRANSMIT_MAX_SIZE	(1 + sizeof(u16) + sizeof(u32) * 7)

 static int mt6362_transmit(struct tcpc_device *tcpc,
 			   enum tcpm_transmit_type type, u16 header,