thunderbolt: harden XDomain property exchange

[PATCH 0/6] thunderbolt: harden XDomain property exchange

Posted by Michael Bommarito 2 weeks ago

This series fixes 4 memory-safety defects and 1 data-handling
hardening issue in the Thunderbolt XDomain property exchange path
(property.c and xdomain.c) and adds KUnit regression tests.
All are reachable from an adjacent Thunderbolt peer without
authentication.  The XDomain protocol runs automatically on cable
insertion regardless of the configured security level, unless
disabled with thunderbolt.xdomain=0.

Patches:

  1/6 - reject zero-length property entries in validator
  2/6 - bound root directory content to block size
  3/6 - clamp XDomain response data copy to allocation size
  4/6 - validate XDomain request packet size before type cast
  5/6 - limit XDomain response copy to actual frame size
  6/6 - add KUnit tests for property parser bounds checks

Tested with KASAN on v7.1-rc3 and over Thunderbolt 4 hardware.
KUnit regression tests (patch 6) confirm the fixes and existing
tb_test_property_* tests pass on the patched tree.

Based-on: thunderbolt/fixes (928abe19fbf01)

Michael Bommarito (6):
  thunderbolt: reject zero-length property entries in validator
  thunderbolt: bound root directory content to block size
  thunderbolt: clamp XDomain response data copy to allocation size
  thunderbolt: validate XDomain request packet size before type cast
  thunderbolt: limit XDomain response copy to actual frame size
  thunderbolt: test: add KUnit tests for property parser bounds checks

 drivers/thunderbolt/property.c |  6 ++++++
 drivers/thunderbolt/test.c     | 40 ++++++++++++++++++++++++++++++++++++++++
 drivers/thunderbolt/xdomain.c  | 14 +++++++++++---
 3 files changed, 57 insertions(+), 3 deletions(-)

Re: [PATCH 0/6] thunderbolt: harden XDomain property exchange

Posted by Mika Westerberg 1 week, 6 days ago

Hi,

On Mon, May 25, 2026 at 05:28:24AM -0400, Michael Bommarito wrote:
> This series fixes 4 memory-safety defects and 1 data-handling
> hardening issue in the Thunderbolt XDomain property exchange path
> (property.c and xdomain.c) and adds KUnit regression tests.
> All are reachable from an adjacent Thunderbolt peer without
> authentication.  The XDomain protocol runs automatically on cable
> insertion regardless of the configured security level, unless
> disabled with thunderbolt.xdomain=0.
> 
> Patches:
> 
>   1/6 - reject zero-length property entries in validator
>   2/6 - bound root directory content to block size
>   3/6 - clamp XDomain response data copy to allocation size
>   4/6 - validate XDomain request packet size before type cast
>   5/6 - limit XDomain response copy to actual frame size
>   6/6 - add KUnit tests for property parser bounds checks
> 
> Tested with KASAN on v7.1-rc3 and over Thunderbolt 4 hardware.
> KUnit regression tests (patch 6) confirm the fixes and existing
> tb_test_property_* tests pass on the patched tree.
> 
> Based-on: thunderbolt/fixes (928abe19fbf01)
> 
> Michael Bommarito (6):
>   thunderbolt: reject zero-length property entries in validator
>   thunderbolt: bound root directory content to block size
>   thunderbolt: clamp XDomain response data copy to allocation size
>   thunderbolt: validate XDomain request packet size before type cast
>   thunderbolt: limit XDomain response copy to actual frame size

All these applied to thunderbolt.git/fixes.

>   thunderbolt: test: add KUnit tests for property parser bounds checks

This one applied to thunderbolt.git/next.

Thanks!