From bc4f3590a73b0edd0c5ea3956adbe45e776f1206 Mon Sep 17 00:00:00 2001 From: Jack Pham Date: Mon, 23 Oct 2017 09:47:49 -0700 Subject: [PATCH] usb: pd: avoid out-of-bounds access when reading PDOs Most often a source will send fewer than the maximum number of PDOs (7). Since the rx_msg buffer is now allocated up to the size of the actual data, honor the rx_msg->data_len when copying to pd->received_pdos rather than always 28 bytes. This fixes out-of-bounds read access as reported by KASAN. Change-Id: I5f98f7ccba027c1ab436ccf6fc822e2a319bafa1 Signed-off-by: Jack Pham --- drivers/usb/pd/policy_engine.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/usb/pd/policy_engine.c b/drivers/usb/pd/policy_engine.c index 7225bfde8316..aef8de046b8e 100644 --- a/drivers/usb/pd/policy_engine.c +++ b/drivers/usb/pd/policy_engine.c @@ -2253,8 +2253,11 @@ static void usbpd_sm(struct work_struct *w) &val); /* save the PDOs so userspace can further evaluate */ - memcpy(&pd->received_pdos, rx_msg->payload, + memset(&pd->received_pdos, 0, sizeof(pd->received_pdos)); + memcpy(&pd->received_pdos, rx_msg->payload, + min_t(size_t, rx_msg->data_len, + sizeof(pd->received_pdos))); pd->src_cap_id++; usbpd_set_state(pd, PE_SNK_EVALUATE_CAPABILITY); @@ -2365,8 +2368,11 @@ static void usbpd_sm(struct work_struct *w) case PE_SNK_READY: if (IS_DATA(rx_msg, MSG_SOURCE_CAPABILITIES)) { /* save the PDOs so userspace can further evaluate */ - memcpy(&pd->received_pdos, rx_msg->payload, + memset(&pd->received_pdos, 0, sizeof(pd->received_pdos)); + memcpy(&pd->received_pdos, rx_msg->payload, + min_t(size_t, rx_msg->data_len, + sizeof(pd->received_pdos))); pd->src_cap_id++; usbpd_set_state(pd, PE_SNK_EVALUATE_CAPABILITY);