From nobody Mon Jun  8 23:56:26 2026
Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com
 [209.85.219.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F1E0C3E5579
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 09:29:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779701342; cv=none;
 b=fQaqq8GMHfw02HAnXnwW7TVY/6r5QGRkt89AKFuk4dTRxcCWSd8zFvKmD95//Gnt+gWDFp83UF5KZdRPbZcgxJNCMeRCVqJBbiaLnXS8L1r/+3Jh4R/r/9ymJJQtbCsPtQdTSbmlAHotPiwhijA1hJAZPNttiZuQUQgCt39+3EE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779701342; c=relaxed/simple;
	bh=oRcRReuuL2uOsa8tofODlTfTr2wFpNOKYmsL6dymuwE=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=fIFNZLwpPpRAXaGfLO3ziAVeas4dVm0n31vRMDZN5/VkdIRTUrI4ZIf0MYuo8mLmN9nIQ/fs5IhtFxuIOvx7l9PRqQQirpsQIusoM453xz0vZ2Bp0KbIUedFZRp4ur5kDe6AnGtLASDg281XBy/fF8QroDRUMjJxHcgFnSoV4fQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=slEtP1tM; arc=none smtp.client-ip=209.85.219.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="slEtP1tM"
Received: by mail-qv1-f47.google.com with SMTP id
 6a1803df08f44-8b5232009a6so137277386d6.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 02:29:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779701340; x=1780306140;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=rs/GTZf77euP8CWwg6koAQaKj3q73D7iZ013TlHvejo=;
        b=slEtP1tMOWiJaZUTZsMksdc0PjOqGDLsMuFcY+45DkSNxiem5aS+KNzJ5DveQq3e9z
         zcW+u3S3bG96VSYxbpRcL5WgfG5vXwiZiwXClI4e+AMbdujhNBoVjU3+SKLj+1lVkjaR
         nHAwDv5rMRLM8efEhUEm4+a0tBtrmeqKMMrFk3NrixqstA8CIkvL67O+7QcMpE1StxVa
         7FbI9QAMpoq9SUxcaVJIvSh58nJ060LJiBexutIYVoTwSmNGRG5fbS/Tu0c6+R7/1n4b
         s608vswccEIwfJYABl1YXRjUA+ZypYrj4lteu32rDh1dFED2wwXdvQVJzrfCUBcnfAaR
         nEBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779701340; x=1780306140;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=rs/GTZf77euP8CWwg6koAQaKj3q73D7iZ013TlHvejo=;
        b=FrKBa49VPk44klI8H0QDsiGZwQ6Ss8FoWTXinV3RPkGK+zKH8zy9L/EA7JWjToOirl
         EGQfG6THSq9PpUoJuJFPKLy4G+lqxDKZBXo/tTjSCNLYmBNXzBE0T8Rkh6tbDLnD5nUQ
         h6yR6Pbh3b6fCuCJ0fH8kcTXcSdRa8n9Wis0ONf4D4HKLmUSCjkxUSJdj/oLKNO/Sifz
         vQ9FIh5j2+2LfuPFQCfePWohbvvCArcto9YUGUxMj2uEp8n7WBr+3qQvZ7HRX1jKPG0U
         D5dxqKQe8al3a1Wtf94jdnu73Jp6BOINaVzLGB2zOGfJwrCahXWF+5vPOdyEzBOey9vZ
         DuXw==
X-Forwarded-Encrypted: i=1;
 AFNElJ+nTQX54xerjGqOehQBarQP6T0iQMXo54dt00vtv5PP0IAw7mnqb+IKw9tO98BH5mwTvcmiNV5c3my7ELs=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw2ZXj3CAeKwZKY15VsM7hR9l0U/k2vokkoeU8XPYLGbxc1+tcW
	isfe5RIK6Zl2BTYUfo9XJL5WoC/KbR6UvJH7P0FfB0ECHZLCVWDOxUVj
X-Gm-Gg: Acq92OEY9HO3ANiMtw6OZTdgNCCWBUvsBKbOs+c88tzhUbt2ddYyxnpOVUUIVRndTUr
	qn+SvpkRTu+mcgOJDPewckNHss0uA2xmD++mUQy4bazQi3FhYBoAX8lQoBYvYDtORcu/uHHOuSy
	QcZGAZ77TiD57LZOxTFsHZpFo3A5XvlPMX4Ygl/EQRyHq1JeNJX9Q+BRI+wccfHaXaztrNTRLsU
	8XTky8K4LCXuRS7Uk/ELzKXyvsR+Qz9DZ4Vj6wylnqjFuPSeS8h4WrCkfNPuZKAXUHdhr5M4Ktg
	2bRQv6hIbhXBX04+RK4BDsavtLYe9oGB/xDXG2RPZrxPHnTt3ERHWcGFiuUnT4cJQwAGhC/LM++
	Lzw2Dc0+9UCTk0NADFXLyPDaCU13vgWa97IFVwrbxbcUCmUcHCJCBa19s429HOZeisf3lNu3Snq
	/QuyKxEdwfAS0ANhF4AOLhnlQifODSmCdWx3dzM0NEmiGuvbRKdOAS8m1LspucIlMmGesbPMKYQ
	ZRi7+QwBfpD5aqRAwjbEUBJZCYN2PYKFla+5keejaA=
X-Received: by 2002:a05:6214:300e:b0:8ca:164c:a861 with SMTP id
 6a1803df08f44-8cc7b4ec38emr247568386d6.2.1779701339783;
        Mon, 25 May 2026 02:28:59 -0700 (PDT)
Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.
 [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8cc80dcf4a9sm104255826d6.2.2026.05.25.02.28.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:28:59 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Mika Westerberg <westeri@kernel.org>,
	Andreas Noever <andreas.noever@gmail.com>,
	Yehezkel Bernat <YehezkelShB@gmail.com>
Cc: linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 1/6] thunderbolt: reject zero-length property entries in
 validator
Date: Mon, 25 May 2026 05:28:25 -0400
Message-ID: <20260525092830.735472-2-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260525092830.735472-1-michael.bommarito@gmail.com>
References: <20260525092830.735472-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tb_property_entry_valid() accepts entries with length =3D=3D 0 for
DIRECTORY, DATA, and TEXT types.  A zero-length TEXT entry passes
validation but causes an underflow in the null-termination logic:

  property->value.text[property->length * 4 - 1] =3D '\0';

When property->length is 0 this writes to offset -1 relative to
the allocation.

Reject zero-length entries early in the validator since they have no
valid representation in the XDomain property protocol.

Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 drivers/thunderbolt/property.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c
index da2c59a17db5c..5cbc1c4f159c2 100644
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -60,6 +60,8 @@ static bool tb_property_entry_valid(const struct tb_prope=
rty_entry *entry,
 	case TB_PROPERTY_TYPE_DIRECTORY:
 	case TB_PROPERTY_TYPE_DATA:
 	case TB_PROPERTY_TYPE_TEXT:
+		if (!entry->length)
+			return false;
 		if (entry->length > block_len)
 			return false;
 		if (check_add_overflow(entry->value, entry->length, &end) ||

base-commit: 928abe19fbf0127003abcb1ea69cabc1c897d0ab
--=20
2.53.0
From nobody Mon Jun  8 23:56:26 2026
Received: from mail-qv1-f43.google.com (mail-qv1-f43.google.com
 [209.85.219.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C750F3E5EE2
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 09:29:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779701343; cv=none;
 b=i+4crovNCgUGN4qfTus+5OMLsuoC4mZbAiDKCrNSHC2KlInsW9aAW+41lzbmElW1dHG9JXFbi2M1Jq7dKFruuCn2+M58v3GanosWYx6vihCYF4vqbmMibHYkAnGf1ssUwGL4aB0L2iUDiP1vs3FBysfniRLAGTpaafFcgb20qmU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779701343; c=relaxed/simple;
	bh=v/6rZ1VmN1v3nBRbzYBC6QI9R/AMWWmdAQWVgoLRewc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=PdsXGRGIIQwtWNdxHMY1hyzEwowdt/nqNXfLu66e81NHHf3poBH47IGSBaqSUOhWP5cFzCk0dwFPumIrLDQZ0L90UFcBrNRb7ZLH1YtCB23hMEbGR/mCpA65Ss69T9GtWNVybVRtJC+Ifr9mGLu1RVwNeeYDnTC/MaCxzj0qjyc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=bX46uY/x; arc=none smtp.client-ip=209.85.219.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="bX46uY/x"
Received: by mail-qv1-f43.google.com with SMTP id
 6a1803df08f44-8b3d6b215cfso163764316d6.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 02:29:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779701341; x=1780306141;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nUgjwpPNQNXM4+anOpqwS/DzvwIVP/9fFHWONmUgMwY=;
        b=bX46uY/xcF9bBa16vsMQXdfpTUJ1XerdTV78tz3UH95GGtmQRtN7KGR14khc1yDS+k
         pw3pMdYLRMv2NS86vK4KD433BLWSE6uZt+dpzzkVVuYDotTXB6n/hdcIS9jIYKNpA6qv
         7/PVQ9yya6IATgehbqWmDSWM6FDTRjvPeGD/mp0FxrzkrUU5pk/gRxncAmPoiwNtQL16
         HBwIVHCqHcz0Ec75AxHuz4T1CEC4n8krmB4hn95OrYtEXZZCTF5LlfiRBP1YuovtQE8i
         cUiyD3hj1Y48MoTddmtBG7Nm3Pd6829XsIe7CpYpt7TRu7cfFl0TtBY7qjnQ6hWoG1Mu
         fLow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779701341; x=1780306141;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=nUgjwpPNQNXM4+anOpqwS/DzvwIVP/9fFHWONmUgMwY=;
        b=jM9YSuI74Q8vfWMed80dxDSCrqtinaBQR0MwxCisMPvl1pNkhdq5ttN6sbDlrD19bV
         /unqUZ/hDr/TjNiNFEbRWjvkxy4L9CSf9SVWJVUJGR53s+8ccHdfG9ETfln7QMs9bJOV
         Pe3RJtNJKtju6hHjUYdmSC3bB9wd9rPqrb4jUHC8gXFS1Oe9Jt1HbuOWQAbpmsKxx4Lx
         e2isPv5gk7KauTktdU3df9iWFxX+gsEKdSYi20VXb40NqMKudrbpV344lyZIl/MbSlAy
         zz3WXlFADsKXKY41nIfCmpDpujwjN4AAZs0fVu2vr0OoO6leDJuawYJH3wZ9Umk1q3rJ
         WoGw==
X-Forwarded-Encrypted: i=1;
 AFNElJ+ZpwGS9XQ8KU9xhAPMF47yziR2bH+HSMcgoYIDIqYjjxXjkvDued7lP48FQwP5qEUNUFwFDAOBZJ+S/IE=@vger.kernel.org
X-Gm-Message-State: AOJu0YyzR2uKfjrRgPqs3W8vTExiDfg0ICXy5pR4FlMB2D0rNPWg55Lc
	xCdov0Rxu36oifkvd94ExDvYbNplOdSvOEwtFzB2d3VTsPxlrzg8UFPJ
X-Gm-Gg: Acq92OGR9eNkBjenPXBJ1i6Xf+KpjCUSsek/KYL/OqVll2cK4mFw6lhGHqqyzNSXXrZ
	Y28guf0h707zxuXHP/l8Pkn18jziIKv0DnH61T466v/IPdNMkV/HRg0UDmXkSBrcjRPwQ1Wukkg
	pW1jIQ7CanjBcEo9vn4WPxdNjJ/eiq6WDtT86n9XsAJWb6rCgr8zTWg9gy1RGqLiHD4waLmsHvg
	6DaTO3LCTk10M0AhKp6NRnGauFFeyMHpLPmdZLNIFaLId5k5EEHLMdV8+yEVSiGVUi7vcwDKSgn
	FG5nqusY5Vx4Ggdrb4jbebAgPB8YVm+alyqKR9mnm9w3rHzEmGZ4sYO77gw+DwXSVLVKhTu7jKa
	HCxEOqmmvhNbWEsc+c7EJ6J27u3wdn61hzpTEfgaVez8V6TJ4b132wZReQG9Lfug5FCh8GEkqrZ
	UDL/IKCm4wFtnO/6c7YYUASkuxTkvb2hMS0XM6uOKCCK5L1Y4qI3mvcRwbDQuCijZzRXMnlJu9b
	jtsA47VslFb/+4G97InDMkQRcAnaKI7J3H1BBvoQDE=
X-Received: by 2002:a05:6214:242c:b0:8bf:6a92:84b2 with SMTP id
 6a1803df08f44-8cc7b620b40mr227647156d6.13.1779701340666;
        Mon, 25 May 2026 02:29:00 -0700 (PDT)
Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.
 [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8cc80dcf4a9sm104255826d6.2.2026.05.25.02.28.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:29:00 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Mika Westerberg <westeri@kernel.org>,
	Andreas Noever <andreas.noever@gmail.com>,
	Yehezkel Bernat <YehezkelShB@gmail.com>
Cc: linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 2/6] thunderbolt: bound root directory content to block size
Date: Mon, 25 May 2026 05:28:26 -0400
Message-ID: <20260525092830.735472-3-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260525092830.735472-1-michael.bommarito@gmail.com>
References: <20260525092830.735472-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

__tb_property_parse_dir() does not check that content_offset +
content_len fits within block_len for the root directory case.
When rootdir->length equals or exceeds block_len - 2, the entry
loop reads past the allocated property block.

Add a bounds check after computing content_offset and content_len
to reject directories whose content extends past the block.

Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 drivers/thunderbolt/property.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c
index 5cbc1c4f159c2..59beab43f90a6 100644
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -187,6 +187,10 @@ static struct tb_property_dir *__tb_property_parse_dir=
(const u32 *block,
 	if (is_root) {
 		content_offset =3D dir_offset + 2;
 		content_len =3D dir_len;
+		if (content_offset + content_len > block_len) {
+			tb_property_free_dir(dir);
+			return NULL;
+		}
 	} else {
 		if (dir_len < 4) {
 			tb_property_free_dir(dir);
--=20
2.53.0
From nobody Mon Jun  8 23:56:26 2026
Received: from mail-qv1-f45.google.com (mail-qv1-f45.google.com
 [209.85.219.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B6F3B3E63A1
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 09:29:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779701346; cv=none;
 b=Dfan+UxUPm2FEdkodsXMkG2fvUvalmPqi6+IeKQs1j6SkAAkGyIAHeZMU4Cvl7azFpdE347D6qoiTH+6YoFC6qdhZrEp9VtbZeoLdYar30DF7VKABzeh00jSVmNtRPsbS3v7PPJOFWaXsW2PXp8Z9KuWA+urd6K6NFNy8DAVmp0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779701346; c=relaxed/simple;
	bh=aSVYpEez6Aw3aMw4yoHZCiaTJpswyN4Tsnuhzn+aSKw=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=QsJjEXZECRgesnIdNU209bBMpiETbva5jhnQADlnRlHQ2OV4I9Y1FlbcWo0hlwFgS/8zVh37MuPOe8Cs5RNGGQMJHrk6M/aDJcL3T8MO32LT+HbZrsEpWTVT2NETenBf91AH30jQaNdpyo+8UWq88ozcN5cwfAdob/AWLYC1UDo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=n7qC440Q; arc=none smtp.client-ip=209.85.219.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="n7qC440Q"
Received: by mail-qv1-f45.google.com with SMTP id
 6a1803df08f44-8b4eb1fd5d0so116846676d6.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 02:29:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779701342; x=1780306142;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+/u6dFLgaY7n68TYn6Ld3RzN6PYRAr2JmUCcJULqcT0=;
        b=n7qC440Qy4xRfoZEOYrH71Zxu15QxQsQzAEeakQyYCxS3jEOTYf5wX9ud4yifTPIFS
         bu8aI3cpZFgJUS+8xPv9VJyCoLWMVyMaABtMklzW2EAPHqyrXwXfOzOMWITXwor/NMhh
         5aIK4GXoMCda5RZgTYySKwkeCTY6pR9cF4lFjG9TD5x8+ZHR5MDSDukWDToXRImfQ/8N
         1ZixY9KCDJxurZyN6/c6CWDqIXQW7JafHcFe3henWvSNijivcz4wZu9/qEjnCjDD13AL
         NxlHTXPTX2KsVH2FTZx0nG9N3IzswW3LzgqyT2Ss1MshyHwqdDLnPYmpfvTNbXRB/rX0
         Hulw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779701342; x=1780306142;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=+/u6dFLgaY7n68TYn6Ld3RzN6PYRAr2JmUCcJULqcT0=;
        b=sCm7SHXlJcU0Ygamr9/GEFigD/gfC4SbvIjby7mC6pExHLu6GXWqTKECGN9dMVsslB
         YVrsiDo7Hcd4WPf4NQSxoh5AgKW9/6K5lthvbulnc6bz/BHIyZLVPQ42jtU6nyRWT2Em
         x+//BBuPM3Xd3TrIKHvdiR9Pyh2O16/Fga/YTWQzYbUNwz3oQYg11kzXr9Okj6bTx3GP
         ggDihUUXBRdal1PpeJsWiTsXmUo869w8HZnPafuh0JF67offFmickdVks94KptgwZlzF
         UkHB7D0ducgCme2nERNz07SZZ1MldpZ1FNpU2byroVnUrnuwn0fr1D6voxqUotb1S4dq
         dB4w==
X-Forwarded-Encrypted: i=1;
 AFNElJ+luf1ZjxMvU3+hfu088HVuPXbEdooyNP33/Bj3W6VdIhjhKZ6aIDmP+yk+7I4CoGjflMHLw4dHlCs/Ndw=@vger.kernel.org
X-Gm-Message-State: AOJu0YwkYILXQPgnbWUQEvvrk/Yfgbg+4ereIK4Z19A1ucOkxKrm5SFW
	wYIcP8ReOsonmF5FkyqSGV2MDN3GSb1GOMgLGzUQYaxDTZ5ee/45LGuQ
X-Gm-Gg: Acq92OHXcN2aBr2lzn9bz8tWLNcyGcgqi1OUHfqwUHkRvPvhSrp0t/iRCDDhnA0PvCz
	e2BChAgn2bhOLpnYwe2iwy2C699xstV2EF53dz4zz88jUQx9xsWjLYKEorleSuqmLIUjaz4zeDK
	Ji5R8Jm9aYM500RtbbAzkhrSrKaglJrfqSojkMXTrllKwaaXXMnMQuPM8FYp1KJYigXmqQF0O7z
	U7so+h5DCewAsg/MaRUlj6EjAvel9OG1ltdG8Dpq7X6j1wk1Q9K0D2sSQNBz1kmpzYrwUuRvLYJ
	tIb5KmxlN2tNjTuB1jVU+/wWA/tYvDvJGrScTh+ochs8GuFPOXM4U+eXq/KANpHFmewLessKdpp
	Q0G6fVwluFWinyepVOWGgVG25eZD20slpXe6fkJ62hLOEzOqKHMYnfid7ER5unJp0nXUX0Ke7bn
	O1TQ/dOrEXy63CjodAXkTFs/GzoqKE+1ZgL9foa2xfhnyG5nqNC/r2YdvOgQNHDdtEyuPTrGxSP
	TKv/WVTD/5mrVfpFQz6oSqR5sUcNCcXvutdUpCvX3ukco9HMwttLg==
X-Received: by 2002:a05:6214:3d88:b0:8cc:6b85:610b with SMTP id
 6a1803df08f44-8cc7b5ff8f4mr230230136d6.47.1779701341602;
        Mon, 25 May 2026 02:29:01 -0700 (PDT)
Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.
 [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8cc80dcf4a9sm104255826d6.2.2026.05.25.02.29.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:29:01 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Mika Westerberg <westeri@kernel.org>,
	Andreas Noever <andreas.noever@gmail.com>,
	Yehezkel Bernat <YehezkelShB@gmail.com>
Cc: linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 3/6] thunderbolt: clamp XDomain response data copy to
 allocation size
Date: Mon, 25 May 2026 05:28:27 -0400
Message-ID: <20260525092830.735472-4-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260525092830.735472-1-michael.bommarito@gmail.com>
References: <20260525092830.735472-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer.  A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.

Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.

Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
Confirmed over Thunderbolt 4 cable (Framework -> Dell, stock Ubuntu
26.04 7.0.0-15-generic).

Also reproduced with KASAN on QEMU (7.1.0-rc3):

  BUG: KASAN: slab-out-of-bounds in
       tb_test_synthetic_overflow.cold+0x131/0x29a
  Write of size 192 at addr ffff888002110200

 drivers/thunderbolt/xdomain.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
index 754808c43f006..4099419c74795 100644
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -393,6 +393,8 @@ static int tb_xdp_properties_request(struct tb_ctl *ctl=
, u64 route,
 			}
 		}
=20
+		if (req.offset + len > data_len)
+			len =3D data_len - req.offset;
 		memcpy(data + req.offset, res->data, len * 4);
 		req.offset +=3D len;
 	} while (!data_len || req.offset < data_len);
--=20
2.53.0
From nobody Mon Jun  8 23:56:26 2026
Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com
 [209.85.219.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A9463E5A36
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 09:29:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779701349; cv=none;
 b=m90+jxoD/OiIJyKEzmrP4OxTMPdiTSTKBKr8KvZW0r2UPoO11V06S6fTF2U7cB54kWCHpk4nEe4ChBP2AvquuETfx4E4a85Z+jYnzXJ2t+vXXjpL7RRtR2rPWHetePgbXQfxuZyHq3T0bkUNnPvTtDcC6mbi2t6ifJS1/agiIvI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779701349; c=relaxed/simple;
	bh=rIT61GM5oNN2rhJVeEs8hIYSGWUY3khADL2DBDHXiV0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Ukdrv+4+kICIBhnO6oWsOlI95Y9N9zGkGtvRLP8V+qcZmaP6HDje7+8ppwf3q5CXaJ71gBi7gAo9pZS5sTjHodXTSQoByTyBHIRF5d4/0+jPRtnsI5PF3c7Db/yUZdXyiRdcsAh/OuWeTY1NKh31/r6bkCeEKk3g91+xz1SmicE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=kGT201i7; arc=none smtp.client-ip=209.85.219.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="kGT201i7"
Received: by mail-qv1-f42.google.com with SMTP id
 6a1803df08f44-8b701756684so110501486d6.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 02:29:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779701342; x=1780306142;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FtiLYHyRBPw0HAjBkMfw5Y+en0r+h/6dV9A2hz2IT/Q=;
        b=kGT201i7jgiKFTzF8KBK3TEXtod3LyTianQSQcmBW/ji3GdwWQzk2tV64yfKm/wqkB
         ApE5pM9OjqEjNSEm+cK9y0eEWdH/YW079ZakwwSa1/20CmPqu/3GpGEKOk7GfqUCxCw8
         KtSm2X6ViPXYBnPC21o4PDjYeAL50C43AZwIB+KWjBe53gMtb6DrPh4ro6QWs9UHF0v9
         Jqroy3R2R3Ro7DXjchoDIMLB8bf1qxMZuJTk0WHD77K0Uv02LlHnRHBhPMIMGdnSJj4Q
         SRiXZmOBijvR2qHJUB0YkYuf+Z8a/egc3NT+3skQEF0B10ufGHeVlytRqwF5VhA+IeUw
         9FzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779701342; x=1780306142;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=FtiLYHyRBPw0HAjBkMfw5Y+en0r+h/6dV9A2hz2IT/Q=;
        b=H/JCRgw4jYNsv7UdBMCgI7+gHMYy4WvdjAjclNzPZa/BWTgKAOirnLhrjKv8af9wL5
         pKFc0p4MbuUDwkU2eQohEk4hj6s1qzXXzG7uAHWKOXxTf+F4MSdyrPmTQJKpGLrDF/+t
         v5rUk1I++Ap6A4JCX2Gk2QPWswBGCjyQO+Fi7MUQSILuBeVIY7miyGCWf8yPVkyiG3Md
         FNVs6tOQU055LMl7gfIruXcwDMCa8U3jJJYS+PPFsAzp4Wl0nAWIunO3C5yzb0Tysw+c
         AbRZKiImecJDVIsw/jYQXMmyJ/tvRy4gx4yXJf8wbKESOZcXkamkeip1LsSRiG13PQsz
         nXRA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/GuW3WfodmvpoZFxnmgaxNrrlBJNJVF2FN3RbW5RgGY8EaN4b+pQQII8t53I8o5gdM+eAoQkR4mzNNbK8=@vger.kernel.org
X-Gm-Message-State: AOJu0YzI243w92dR25vHc+whBNj0vrShH0gqPNZobsa+H2JocpHch1+C
	6YVFYaYXhT9di64YjH92YO6IUbZpti2lrVv5+Kap1tDmMHzEVKwS7JRShyXRck80
X-Gm-Gg: Acq92OFToF3IyCvixmwoLqcc7asSyLtX5bSGwLfAVcBQuIZOBG/qYqYkjJsFsak5kfN
	cSxuei9rVVzUAJ/M6iph8KeDhpvGNahX4nQhKFIhg4acXJl4uKxf8ImuVY05dWqwx2k1y7YEQux
	c/rJd52XD47rqFpCNfwabHrhGJocc2zjIAP22cmkf2rC0yOq+v8W2CLvj8yotIYaT46jTAZtUbC
	IVLHbR8ZNAyc6ThNpSz1A41NipGBMGIJuQovbxTXWRylwi/2Tq9vadfIDkaldITslwrjL2KG3On
	tbVlAn5NF29qqUkXcQR253++ajeRu39f5masAyziQs+WcLHnibe1wRUqVHyhrf1+zdgfisQdQIp
	LUUctq6cifJsxucfFXs9JPMFA2zmmMt9PS6zYknuixIaNJO7aSUGGzUGtYoojWXX6pyYwKjaAbD
	AUqucjbIjrvkTEvRfC0dwWNbp85MR3g4h0JsEd0ScYmkP+IlUuBzHw/rnBSBrmCFV02ctprVfhD
	k+nkG1tcl8ksXyIXAxfHjXfuq44Z0XjPgc7dBFealX8Mhgp4flmgQ==
X-Received: by 2002:ad4:576d:0:b0:8ac:a91c:c8d with SMTP id
 6a1803df08f44-8cc7becc39emr183880176d6.14.1779701342486;
        Mon, 25 May 2026 02:29:02 -0700 (PDT)
Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.
 [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8cc80dcf4a9sm104255826d6.2.2026.05.25.02.29.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:29:02 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Mika Westerberg <westeri@kernel.org>,
	Andreas Noever <andreas.noever@gmail.com>,
	Yehezkel Bernat <YehezkelShB@gmail.com>
Cc: linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 4/6] thunderbolt: validate XDomain request packet size before
 type cast
Date: Mon, 25 May 2026 05:28:28 -0400
Message-ID: <20260525092830.735472-5-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260525092830.735472-1-michael.bommarito@gmail.com>
References: <20260525092830.735472-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tb_xdp_handle_request() casts the received packet buffer to
protocol-specific structs without verifying that the allocation
is large enough for the target type.  A peer can send a minimal
XDomain packet that passes the generic header length check but is
shorter than the struct accessed after the cast, causing out-of-
bounds reads from the kmemdup allocation.

Plumb the packet length through xdomain_request_work and validate
it against the expected struct size before each cast.

Fixes: 8e1de7042596 ("thunderbolt: Add support for XDomain lane bonding")
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
Stock KASAN splat reproduced on QEMU (7.1.0-rc3).  A test module
allocates a 32-byte packet (tb_xdp_header only) and casts to
tb_xdp_link_state_change (36 bytes).  The read past the allocation
fires immediately:

  BUG: KASAN: slab-out-of-bounds in
       tb_test_xdp_short_packet_cast_trigger.cold+0x118/0x12d
  Read of size 1 at addr ffff888002110260
  located 0 bytes to the right of allocated 32-byte region

Also exercised over Thunderbolt 4 cable with 258 truncated-packet
injections (PROPERTIES_REQUEST 68 -> 32 bytes).

 drivers/thunderbolt/xdomain.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
index 4099419c74795..9d54e3ccc8278 100644
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -55,6 +55,7 @@ static const char * const state_names[] =3D {
 struct xdomain_request_work {
 	struct work_struct work;
 	struct tb_xdp_header *pkg;
+	size_t pkg_len;
 	struct tb *tb;
 };
=20
@@ -733,6 +734,7 @@ static void tb_xdp_handle_request(struct work_struct *w=
ork)
 	struct xdomain_request_work *xw =3D container_of(work, typeof(*xw), work);
 	const struct tb_xdp_header *pkg =3D xw->pkg;
 	const struct tb_xdomain_header *xhdr =3D &pkg->xd_hdr;
+	size_t pkg_len =3D xw->pkg_len;
 	struct tb *tb =3D xw->tb;
 	struct tb_ctl *ctl =3D tb->ctl;
 	struct tb_xdomain *xd;
@@ -764,7 +766,7 @@ static void tb_xdp_handle_request(struct work_struct *w=
ork)
 	switch (pkg->type) {
 	case PROPERTIES_REQUEST:
 		tb_dbg(tb, "%llx: received XDomain properties request\n", route);
-		if (xd) {
+		if (xd && pkg_len >=3D sizeof(struct tb_xdp_properties)) {
 			ret =3D tb_xdp_properties_response(tb, ctl, xd, sequence,
 				(const struct tb_xdp_properties *)pkg);
 		}
@@ -818,7 +820,8 @@ static void tb_xdp_handle_request(struct work_struct *w=
ork)
 		tb_dbg(tb, "%llx: received XDomain link state change request\n",
 		       route);
=20
-		if (xd && xd->state =3D=3D XDOMAIN_STATE_BONDING_UUID_HIGH) {
+		if (xd && xd->state =3D=3D XDOMAIN_STATE_BONDING_UUID_HIGH &&
+		    pkg_len >=3D sizeof(struct tb_xdp_link_state_change)) {
 			const struct tb_xdp_link_state_change *lsc =3D
 				(const struct tb_xdp_link_state_change *)pkg;
=20
@@ -870,6 +873,7 @@ tb_xdp_schedule_request(struct tb *tb, const struct tb_=
xdp_header *hdr,
 		kfree(xw);
 		return false;
 	}
+	xw->pkg_len =3D size;
 	xw->tb =3D tb_domain_get(tb);
=20
 	schedule_work(&xw->work);
--=20
2.53.0
From nobody Mon Jun  8 23:56:26 2026
Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com
 [209.85.219.46])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 877F73E7140
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 09:29:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.46
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779701348; cv=none;
 b=gkIjGllou8H7nYJDRb4Q5+2fgnhknKdDuzafWdc06xNChsQwLFDQ1uCs7JAS+sPa/AeuudnVvC6ZkiZnHJUm6aJGvp3zNo4K7uj32kxCQXw3oPG9/l2Vq+/auqmkOtHxaT6st6LvKZHo05IfpJ7pN+DzUTIn7p0GQTJPtuCpr2M=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779701348; c=relaxed/simple;
	bh=xYqqCZX1aHrmamBy2SBhedm1rID/oN896iWM3DutL3w=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=dmmDmNeEbX1KLaJQGcbOKiN6iOXO0p1I0fBfIs4leQQ9U0n8UOSaXMkEcD0aIFkuWShK+iLiFvblP1SHcYl9w681u5tmNVYbRvl6+5B2FSpY5jwr3HN6PAIR4A2S0Lnd17PJAjPoGXGUhUUHFKTYR/rqdsUBKKEl3sdNRqGrr1A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=KdpFxHjG; arc=none smtp.client-ip=209.85.219.46
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="KdpFxHjG"
Received: by mail-qv1-f46.google.com with SMTP id
 6a1803df08f44-8b4000e51fdso105716156d6.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 02:29:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779701343; x=1780306143;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jkGu0TYeQg7c2WJmg7MepcxFtKbFnqZZwBVV8dtAMFY=;
        b=KdpFxHjGE1e6znL+VTwy9ZiMKEffIAwSEPvmMn0vc25o7dNq6hU43PZTZgR1IL4yUt
         W0jBd19S1McnyFcrObXqo2IEcC6pUgO8pFgyfZA1FT+RJmcebZhXCKgcI++3p82tM53l
         9JnL2etLWN+TL4W8O65ah8JH63dDSiOSI2anIglqKZhpQIEYtECECBthjdQhI7EEFSWC
         5+fuM8wBrTAZnMhHqK3GEkS9pBzJsuioekeN7seE4cK5sIv17j0Jakv7i3HjNTc2Erpr
         Z6HYqA/oiSfHPJfTQACOJvm3Py2zkam9HwCRH6Tout9ZOwV1mKeM+HTmlIBt7dDbjsPr
         JCyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779701343; x=1780306143;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=jkGu0TYeQg7c2WJmg7MepcxFtKbFnqZZwBVV8dtAMFY=;
        b=D/MbwvIP0pa019UAMH5Ub+2hrP7CBU4ZZ+itTDDLTaxZwhBN+fHmtc5o+ebCytBzXX
         bd5ro1d1FAKhmE1IAETHYU147+JedBfW7DIsmUvt09r15JcyV2jZJqK99NkE/ZJmmhKB
         pSVm0Rw+Sp2gvyxUU+9SGcuz6kD+fgxD4or6NYYjC3UYw6JbK+8hDkwO5EysGnMmPpzL
         qTI7wcUY9tfphE+K3gXWZ4LKxKHJIFfFf+WdIqWTr5FwP4AmZA9bGckMuGnaY3HVYJMu
         0qOmPCk/4iWZkCKh7LL66nwt8f3+3+9MW4byKlPg5JA/KBGhUmZW2uwrLWrltwSoBBYX
         ziIw==
X-Forwarded-Encrypted: i=1;
 AFNElJ9S4fHvcIvGevIoiX87OCkbo/KOnLnSjGgCMju1tSihY51Qsyo8tYkifYVE6iOKwL5pb5Zr38+tuG4hD7E=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzzcod+gDATN1W0KiuEDKRhYi0qxAuSj579xWNh0vMTk/Ujf6V/
	VbkrBBlKhkQ+rfkicL3YbG5ZDjvLczprMHt+kzowNiX705rkNgda4pfH
X-Gm-Gg: Acq92OHfRpjD60OLkE9RLVnM7Y3fa/oAqRcSu6iZQLlYGIv1CUxqE1rKFZwOCsNlrwQ
	0oKnKmHq4fF4J1TwGCILBo54KtPUvORFn7JwCmDarrQeYzpS++6VdX/0QNmCk4AJg4ifvNVE9Wx
	qqtIQfl64T0FSP4a1E3m8qlKKcP806jFzweUZ7YB+v2X3RHAx9KLgsyEacdIDCnMrzXBF173IT7
	BlJ4DO9mLiqB2M9e7wRDMTMtqKLBTNAsmEUS0EnffUy9PU+4fZZijSr/7ZbIunKf1EmtL5NYFlc
	gasVcuF5Z675W5BjD3pw07vKC9pNDokWheYAKfgh6AhMoE9mXyWGKc3qGvQuu0v7kUiApbUpKbi
	foAuXID06HzBHfJqjV85Sa4NvVL86BD90cqHr4qoW6fOCkHWamCo9kRrDv+Lj5oj1x3xPv/jYc9
	omY9UjMv4qyChogj7sxdvEJC2ZaCNv+eIM2kQ4FAOxSbjvof1JyjqMhoh8hIfpncK6uHwae0h/8
	OgP9PkIK9dtjom4e65rSv+Y5QgTu7jJ1QokZPmDY84=
X-Received: by 2002:a05:6214:242c:b0:8ae:60c4:857 with SMTP id
 6a1803df08f44-8cc7b62163cmr227783116d6.18.1779701343370;
        Mon, 25 May 2026 02:29:03 -0700 (PDT)
Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.
 [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8cc80dcf4a9sm104255826d6.2.2026.05.25.02.29.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:29:02 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Mika Westerberg <westeri@kernel.org>,
	Andreas Noever <andreas.noever@gmail.com>,
	Yehezkel Bernat <YehezkelShB@gmail.com>
Cc: linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 5/6] thunderbolt: limit XDomain response copy to actual frame
 size
Date: Mon, 25 May 2026 05:28:29 -0400
Message-ID: <20260525092830.735472-6-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260525092830.735472-1-michael.bommarito@gmail.com>
References: <20260525092830.735472-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tb_xdomain_copy() copies req->response_size bytes from the received
packet buffer regardless of the actual frame size.  When a short
response arrives, this reads past the valid frame data in the DMA
pool buffer into stale contents from previous transactions.

Use the minimum of frame size and expected response size for the
copy length.

Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
The DMA pool buffer (ctl.c:340) is always 256 bytes, so a short
frame does not cause an out-of-bounds read from the buffer itself.
The real impact is that bytes past the valid frame contain stale
data from previous DMA transactions, which are copied into the
response struct and interpreted as protocol fields.

Confirmed on QEMU (7.1.0-rc3).

 drivers/thunderbolt/xdomain.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
index 9d54e3ccc8278..1fd1cf4295a2a 100644
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -123,7 +123,9 @@ static bool tb_xdomain_match(const struct tb_cfg_reques=
t *req,
 static bool tb_xdomain_copy(struct tb_cfg_request *req,
 			    const struct ctl_pkg *pkg)
 {
-	memcpy(req->response, pkg->buffer, req->response_size);
+	size_t len =3D min_t(size_t, pkg->frame.size, req->response_size);
+
+	memcpy(req->response, pkg->buffer, len);
 	req->result.err =3D 0;
 	return true;
 }
--=20
2.53.0
From nobody Mon Jun  8 23:56:26 2026
Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com
 [209.85.219.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8DA2A3E639B
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 09:29:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779701358; cv=none;
 b=acHEe5VLUYxRJTvVFfKrFeU1/UbKN/LXbSJrfmmKz1FUoW7upSCH7k+ZtWxrookdBXsuSKYMv4e/gNDZD4H/7swIbEtcB/dTvzLTobBLtWKsTjMBcNkSuSrFYNBKOBjNGikX9qPCwpS0PZIqkQoXRrzQ5nj7ow+sNZLyt23UGFw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779701358; c=relaxed/simple;
	bh=fe/hnE8GZQrLciu77A+fejlNUzSNd3LNX6x61CvRXJg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=qpwdlZOcEYgMdHAaHNbVTCbLotRxoYCkrQBVWHdOM3qXLui3jjYJSjun97fR4Xy4ItLByutH/hI9srmotvq9k831Ry/C3YNukTYMYNb//R/sv+a9tPYZJu0vZjuDzKgiBYZrmhpa8KgpJtqf2dCFVXGiGT6UPvIs3ChNghIwjAg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=dPtEfQOQ; arc=none smtp.client-ip=209.85.219.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="dPtEfQOQ"
Received: by mail-qv1-f47.google.com with SMTP id
 6a1803df08f44-8b701756684so110501686d6.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 02:29:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779701344; x=1780306144;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8Iq5ZhrKPSPdMYnMkmpf5M3ZZW+Mtt1BsX+A9zE8LaQ=;
        b=dPtEfQOQyndCd2aaxBQmWPzup4sjsvtS0ZhfkYkObzTz/S6YdAdphSN+wXB8gfn74M
         Trsf+Iw+lstOB7ncvOziZECbtdVT+16TDfzIDUC+LvNgTQ8C5HduGsvvaaoteLDXmq02
         BM7IgdSY2t9iTN3t/411+fdmbWHbVO9v6qy29bGgvj/UVljl+SpQEdO3PzqxFudCp98/
         msOLvLp5WcWFtDtEBkzkTV3KZk/ruNcNH0I/DrO+6Hqk0mpfcZsiHXGnr7ondV7c9quR
         hnc06KSLiL4T7Hey6l1q2U2Qu8B5sABmulfaxdHBoP9zmeQ2NC97yp7wW9cUm9zVRgin
         v2xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779701344; x=1780306144;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=8Iq5ZhrKPSPdMYnMkmpf5M3ZZW+Mtt1BsX+A9zE8LaQ=;
        b=Xcj5FrZasaDNpP0k8mUOMGIu3ZuDpQB+pEq2Obmp+u10HHirvTU1HRIcTodDBFGQI0
         BYKP8SFZf4Wo/zEuf1TWKLxqfEoAkqLM+qkucYuhk7k6N5/jIzozru3+Vy3EKkSSDg44
         fJPYU+Yr5AE59ChoAorfWsQwzu8/yVVWXxYwPC3PqUh2vvbS9RPItePnFD6LqoSDSUcH
         tr4i+8WHSxO2X/zGcfyRHgjeUv/o2pUBO7heAUElTcULN+LaT0lXRJGd8vUTDfD3QIA4
         t4COZ/5wwp84bwVon8oNjzNkTuY/nxfVj6UeVYo3XvaDz5xmh5f0oOiPHetkM29INgS+
         tc5Q==
X-Forwarded-Encrypted: i=1;
 AFNElJ+ozm39FO9+cOsBxH0hqYMVfT+xjzUC5ZBHD4Z9C+dZA8wCx8vPDG31Y0IlBy8dehfdknpI4wwnSNo9tWk=@vger.kernel.org
X-Gm-Message-State: AOJu0YxTmKk7ZfskjYgujxRw9CPEG4LYITd4xUZyEDg/bCdjXVEEenxe
	evkTZ7boLbLKJZCucI9yRJYPUkDICNyqO1TMkB5EdlIgR2AtI7JYD53i
X-Gm-Gg: Acq92OHK6p3GE9ucZSGnKh96g3H0r5Khbm1wOPnnaiX0X8VlctkcBkKdd3ILvxEdw/p
	pesv/QBUswNuhmlt5/aY2+r/ng9LUkCQXPUiAMkPYvoi/rPfABzEvIDRpkGrckpYvAPvTQF+snX
	EGhHCiuSBWNHCzkpSRYo+e1ueVu9LlTb8pXm2TrdtMKXn4tN9sXgigu1yk8SUaD08OTygBj8wtM
	ByHUXj2BECbeZdxh9LZ8YOO2mi4Xr4+fZ+oEMw4HksGOoOElye5K0IX08rlmWUZ9np9G8A3SqOx
	zS1Ue4YgetpM7d4pAn75buuo5tPdvXXGBqONOhtXuCG3yjuBey16+hT/bBJMFApDar2Hj1HGJOP
	esi7DHys0VAUcCzEcZZkailByeMmjq4rJ/9T+9Zo4ijQNLWBNjD14Oo0bg14HQ7aDZ0xkseSwzp
	YMfetYb+7tfjx1yRII16JRQ1jL6i5SdiQM/Llgl4uxhQmwF+4qCxHTEqLry8QMhyUKJlGWNhPYj
	A+FnLmSaoH8W2br6+fjUzq8y2bEFdSWbNTAQ7fQt0M=
X-Received: by 2002:a05:6214:5882:b0:8a7:164c:d5c8 with SMTP id
 6a1803df08f44-8cc7bf194acmr185185226d6.24.1779701344361;
        Mon, 25 May 2026 02:29:04 -0700 (PDT)
Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net.
 [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8cc80dcf4a9sm104255826d6.2.2026.05.25.02.29.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:29:03 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Mika Westerberg <westeri@kernel.org>,
	Andreas Noever <andreas.noever@gmail.com>,
	Yehezkel Bernat <YehezkelShB@gmail.com>
Cc: linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 6/6] thunderbolt: test: add KUnit tests for property parser
 bounds checks
Date: Mon, 25 May 2026 05:28:30 -0400
Message-ID: <20260525092830.735472-7-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260525092830.735472-1-michael.bommarito@gmail.com>
References: <20260525092830.735472-1-michael.bommarito@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add regression tests for the zero-length entry and root directory
bounds fixes:

- tb_test_property_parse_zero_length: TEXT entry with length 0
  must be rejected by the validator.

- tb_test_property_parse_rootdir_overflow: root directory whose
  content_offset + content_len exceeds block_len must be rejected.

Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
 drivers/thunderbolt/test.c | 40 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/drivers/thunderbolt/test.c b/drivers/thunderbolt/test.c
index 1f4318249c226..345f39ecd233f 100644
--- a/drivers/thunderbolt/test.c
+++ b/drivers/thunderbolt/test.c
@@ -2852,6 +2852,44 @@ static void tb_test_property_copy(struct kunit *test)
 	tb_property_free_dir(src);
 }
=20
+static void tb_test_property_parse_zero_length(struct kunit *test)
+{
+	u32 *block =3D kunit_kzalloc(test, 6 * sizeof(u32), GFP_KERNEL);
+	struct tb_property_dir *dir;
+
+	KUNIT_ASSERT_NOT_NULL(test, block);
+
+	block[0] =3D 0x55584401;	/* rootdir magic */
+	block[1] =3D 0x00000004;	/* root length: one entry */
+
+	block[2] =3D 0x61616161;	/* key_hi */
+	block[3] =3D 0x61616161;	/* key_lo */
+	block[4] =3D 0x74000000;	/* type=3DTEXT, reserved=3D0, length=3D0 */
+	block[5] =3D 0x00000000;	/* value */
+
+	dir =3D tb_property_parse_dir(block, 6);
+	KUNIT_EXPECT_NULL(test, dir);
+	tb_property_free_dir(dir);
+}
+
+static void tb_test_property_parse_rootdir_overflow(struct kunit *test)
+{
+	u32 *block =3D kunit_kzalloc(test, 4 * sizeof(u32), GFP_KERNEL);
+	struct tb_property_dir *dir;
+
+	KUNIT_ASSERT_NOT_NULL(test, block);
+
+	block[0] =3D 0x55584401;	/* rootdir magic */
+	block[1] =3D 0x00000004;	/* root length claims 4 dwords of content */
+	block[2] =3D 0x61616161;
+	block[3] =3D 0x61616161;
+
+	/* content_offset(2) + content_len(4) =3D 6 > block_len(4) */
+	dir =3D tb_property_parse_dir(block, 4);
+	KUNIT_EXPECT_NULL(test, dir);
+	tb_property_free_dir(dir);
+}
+
 static struct kunit_case tb_test_cases[] =3D {
 	KUNIT_CASE(tb_test_path_basic),
 	KUNIT_CASE(tb_test_path_not_connected_walk),
@@ -2892,6 +2930,8 @@ static struct kunit_case tb_test_cases[] =3D {
 	KUNIT_CASE(tb_test_property_parse),
 	KUNIT_CASE(tb_test_property_format),
 	KUNIT_CASE(tb_test_property_copy),
+	KUNIT_CASE(tb_test_property_parse_zero_length),
+	KUNIT_CASE(tb_test_property_parse_rootdir_overflow),
 	{ }
 };
=20
--=20
2.53.0