From 244a84a926ba42483dba00999337cf6444921879 Mon Sep 17 00:00:00 2001 From: Rafael Ortolan Date: Fri, 1 Jul 2022 13:29:51 -0300 Subject: [PATCH] driver/usb: Fix buffer overflow issue detected by KASAN Fix stack-out-of-bounds issue detected by KASAN, which could result in random kernel memory corruptions: [685:tcpc_event_type]================================================================== [685:tcpc_event_type]BUG: KASAN: stack-out-of-bounds in mt6360_transmit+0xec/0x260 [685:tcpc_event_type]Write of size 28 at addr ffffffe6ca09f963 by task tcpc_event_type/685 [685:tcpc_event_type] [685:tcpc_event_type]CPU: 1 PID: 685 Comm: tcpc_event_type Tainted: G S W O 4.14.186+ #1 [685:tcpc_event_type]Hardware name: MT6853V/NZA (DT) [685:tcpc_event_type]Call trace: [685:tcpc_event_type] dump_backtrace+0x0/0x374 [685:tcpc_event_type] show_stack+0x20/0x2c [685:tcpc_event_type] dump_stack+0x148/0x1b8 [685:tcpc_event_type] print_address_description+0x70/0x248 [685:tcpc_event_type] __kasan_report+0x150/0x180 [685:tcpc_event_type] kasan_report+0x10/0x18 [685:tcpc_event_type] check_memory_region+0x18c/0x198 [685:tcpc_event_type] memcpy+0x48/0x68 [685:tcpc_event_type] mt6360_transmit+0xec/0x260 [685:tcpc_event_type] tcpci_transmit+0xb8/0xe4 [685:tcpc_event_type] pd_send_message+0x238/0x388 [685:tcpc_event_type] pd_reply_svdm_request+0x1f0/0x2f8 [685:tcpc_event_type] pd_dpm_ufp_request_id_info+0xcc/0x188 [685:tcpc_event_type] pe_ufp_vdm_get_identity_entry+0x1c/0x28 [685:tcpc_event_type] pd_handle_event+0x3cc/0x74c [685:tcpc_event_type] pd_policy_enGine_run+0x18c/0x748 [685:tcpc_event_type] tcpc_event_thread_fn+0x1b4/0x32c [685:tcpc_event_type] kthread+0x2a8/0x2c0 [685:tcpc_event_type] ret_from_fork+0x10/0x18 [685:tcpc_event_type]================================================================== Change-Id: I25ee1b2457592d470619f3bea1fb3fc1a2bc678c Reviewed-on: https://gerrit.mot.com/2320832 SME-Granted: SME Approvals Granted SLTApproved: Slta Waiver Reviewed-by: Murilo Alves Reviewed-by: Gilberto Gambugge Neto Tested-by: Jira Key Submit-Approved: Jira Key Signed-off-by: Murilo Alves Reviewed-on: https://gerrit.mot.com/2334041 Reviewed-by: Rafael Ortolan Reviewed-by: Zhihong Kang --- drivers/misc/mediatek/typec/tcpc/tcpc_mt6360.c | 4 ++-- drivers/misc/mediatek/typec/tcpc/tcpc_mt6362.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/misc/mediatek/typec/tcpc/tcpc_mt6360.c b/drivers/misc/mediatek/typec/tcpc/tcpc_mt6360.c index 36b9d7d4289e..aafc1933692f 100644 --- a/drivers/misc/mediatek/typec/tcpc/tcpc_mt6360.c +++ b/drivers/misc/mediatek/typec/tcpc/tcpc_mt6360.c @@ -2121,9 +2121,9 @@ static int mt6360_set_bist_carrier_mode(struct tcpc_device *tcpc, u8 pattern) return 0; } -/* message header (2byte) + data object (7*4) */ +/* transmit count (1byte) + message header (2byte) + data object (7*4) */ #define MT6360_TRANSMIT_MAX_SIZE \ - (sizeof(u16) + sizeof(u32) * 7) + (1 + sizeof(u16) + sizeof(u32) * 7) #ifdef CONFIG_USB_PD_RETRY_CRC_DISCARD static int mt6360_retransmit(struct tcpc_device *tcpc) diff --git a/drivers/misc/mediatek/typec/tcpc/tcpc_mt6362.c b/drivers/misc/mediatek/typec/tcpc/tcpc_mt6362.c index 779645b5cbb2..2fe7ba7c8279 100644 --- a/drivers/misc/mediatek/typec/tcpc/tcpc_mt6362.c +++ b/drivers/misc/mediatek/typec/tcpc/tcpc_mt6362.c @@ -1576,8 +1576,8 @@ static int mt6362_get_message(struct tcpc_device *tcpc, u32 *payload, return ret; } -/* message header (2byte) + data object (7*4) */ -#define MT6362_TRANSMIT_MAX_SIZE (sizeof(u16) + sizeof(u32) * 7) +/* transmit count (1byte) + message header (2byte) + data object (7*4) */ +#define MT6362_TRANSMIT_MAX_SIZE (1 + sizeof(u16) + sizeof(u32) * 7) static int mt6362_transmit(struct tcpc_device *tcpc, enum tcpm_transmit_type type, u16 header,