From nobody Sat Jun 13 04:17:35 2026 Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32DAB312803 for ; Sun, 10 May 2026 23:17:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778455039; cv=none; b=DbAiMo2P7pGYVAEnfh6psRZFKQIE0bv3rKl/k1q+YMEusD2mOvhZ5R08B9CY2EV3iDYc6hEwSCf5KPo5OgWtQFCoZYrFgZGUog0BsoniZxrLC0M7uQh8LUudn2TKanpaREpMDB9sOg/emQdEP1tNsjOClhCQym1OAimtfsiFyhQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778455039; c=relaxed/simple; bh=r8DfgjwteyhNATjsAQWVfs8YuAP56djRXgiQDaVaWdQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ldga/ucyRDvbU1WoMYtus79/48hKn9UdZ/8BvdHPYdI5SIAa1tAeyerlUVLj2K8/1ySzq4+GodOtgcy5YnCyquEoTHGqneVwXUAuki41mF8sox0E+35VJXeTbUumdMJeE4YPY5J1P5VYXISE5SfiiPBWbOqwv7pbuZuKtgwrYNc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HubDfnyx; arc=none smtp.client-ip=209.85.222.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HubDfnyx" Received: by mail-qk1-f179.google.com with SMTP id af79cd13be357-8d7e7f48499so403274685a.1 for ; Sun, 10 May 2026 16:17:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778455037; x=1779059837; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=D+Pq1q7AVM368YnM6hKBCnVHKHtkRiZ76Gi1xm2eLZc=; b=HubDfnyxcrGf94B9pj7++gT/c4Y30F/ov46ZOxWQ+bbLtflN1UsP5eyV91u7/FvRKT VhH0plh7jIyK/bvm6rTE6OdfWwC4FU/O4ytTMOoFHWD/4Q4/UfT3+4OWt/nQZBrjpzgW Ep26G0Jp/OhNVzCD2XGx7UbpuPs38hdjbsRDXCcJRYMpKGZ+98KcCQGP6Kcgqq0TzT/Z R93+EsatCHzZ57ZS10/6aHtssJkxUm0qRUIsfsVCkcSCngYgrQK5trASGGLhv/1APzDx USu/ziycidlNYZ+gjPgn6iSLhWs71I0h7nhTOEgGgrCZm+5hSnHs5kkBSWQCWd3NeRpD YyNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778455037; x=1779059837; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=D+Pq1q7AVM368YnM6hKBCnVHKHtkRiZ76Gi1xm2eLZc=; b=nTQVVZW5pc1c6EDLbBf1QXYK3mJT2BXHoZgRrab1AHGn8wEWwWbAW4UEndT2iKkREF ARwSY6MKf4woX3TqtL8nSnBWqNRhwJ1fViE0RxOT5YwK259A2Pawx/7pw9Jiv0QUaBj1 1KY4zAnkC9DY+Vphz0CjDLJQRt74q7egbtWF7Tj05fhaKofhYr7eYvoxdFKM8caF+03o 6oGakO4o6wjUGLTzrXYu3y/F7rwysaAjOOYDiio8Vnzr0mxVTc4HDNZ6wnFLSZLAyUGZ xcLA+uhDhqZbqUGAMD0ois9XDLd9scC/NSCZ54298aFFY9n3v7BmPsyQ05F6GFlQ5Q5T U9XQ== X-Forwarded-Encrypted: i=1; AFNElJ97DASijvrBc0ucLhCzI5XhRn6/fzRbV6zWzDUY2lft7JWn2QuZTyvp3951pHRIOJMZar/v7hMcZ469qUU=@vger.kernel.org X-Gm-Message-State: AOJu0Yx7RAyEAomnwsrK9CiAAL4nHVEhCLhiXfyR+OeHmxy5GYzFbWYr aMype+RYt1vqm7FtjTbYmuDXIWHC1qdrAsjSDiz5NivE3E1t2KCx/Xk9 X-Gm-Gg: Acq92OFNQm5YG3syxwMFB5Knr/A/fc4a8IPA8kXXwqnjIBPYETyHRFioHGBUXDiMXR9 3OpXhvx+UJG7VBRpmRsOPIC4R0jCamOUgMqHIOPkO9T7YlS292blGpKlNVLhKtWBN+iGnhmvPRN sufHjxEadW8DYTgirX42LNWP7P6uXbJlpOiLjnwsdbFlUMyrmr3s4wOJ1TqoOT3R/deQx5V0RjW 6/05u4C8hBkahlx0YEyHhVTEHnExAV5TABjR7BL1k7nHj2E1ZpFaxfLvtVi37oySBsGWGuIdToP caNLs8CtAJCvj2y/139A7mYvKwOQJ0R3ktrT+zBGKSXNmC1v5kIBza7+4M8wg3HLLHBkuAf4Sg4 SOqVSVXbSa7z+gnP9trJO9HEtona4ULzxyBmpFQsh6VOa5cAUzyXRs0OdQeLfrwdn9zvezLh7t0 jY32bfEet5dqSmlK/A6ij8VXVSXjgzxPnpPLRP/IbkDfEY1h5nAh/digc00mLMTdGCPB9+EqCTE OAVmKQcondfEFwLAKmT/tBfZZwpvIKi+BhHX1NhLUs= X-Received: by 2002:a05:622a:352:b0:50d:8db0:7abb with SMTP id d75a77b69052e-51461fc4f53mr300106661cf.42.1778455037011; Sun, 10 May 2026 16:17:17 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-5148e830ddfsm75015031cf.27.2026.05.10.16.17.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 May 2026 16:17:16 -0700 (PDT) From: Michael Bommarito To: Mika Westerberg , linux-usb@vger.kernel.org Cc: Andreas Noever , Yehezkel Bernat , Andy Shevchenko , Michael Jamet , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 1/4] thunderbolt: property: reject u32 wrap in tb_property_entry_valid() Date: Sun, 10 May 2026 19:16:56 -0400 Message-ID: <20260510231715.2215605-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: <20260415123221.225149-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" entry->value is u32 and entry->length is u16; the sum is performed in u32 and wraps. A malicious XDomain peer can pick value =3D 0xffffff00, length =3D 0x100 so the sum 0x100000000 wraps to 0 and passes the > block_len check. tb_property_parse() then passes entry->value to parse_dwdata() as a dword offset into the property block, reading attacker-directed memory far past the allocation. For TEXT-typed entries with the "deviceid" or "vendorid" keys this lands in xd->device_name / xd->vendor_name and is readable back via the per-XDomain device_name / vendor_name sysfs attributes; the leak is NUL-bounded (kstrdup() stops at the first zero byte) and untargeted (the attacker picks a delta, not an absolute address). DATA-typed entries are parsed into property->value.data but not generically surfaced to userspace. Use check_add_overflow() so a wrapped sum is rejected. Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito --- drivers/thunderbolt/property.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c index 50cbfc92fe65..29cd60c11ac4 100644 --- a/drivers/thunderbolt/property.c +++ b/drivers/thunderbolt/property.c @@ -8,6 +8,7 @@ */ =20 #include +#include #include #include #include @@ -52,13 +53,16 @@ static inline void format_dwdata(void *dst, const void = *src, size_t dwords) static bool tb_property_entry_valid(const struct tb_property_entry *entry, size_t block_len) { + u32 end; + switch (entry->type) { case TB_PROPERTY_TYPE_DIRECTORY: case TB_PROPERTY_TYPE_DATA: case TB_PROPERTY_TYPE_TEXT: if (entry->length > block_len) return false; - if (entry->value + entry->length > block_len) + if (check_add_overflow(entry->value, entry->length, &end) || + end > block_len) return false; break; =20 --=20 2.53.0 From nobody Sat Jun 13 04:17:35 2026 Received: from mail-qt1-f171.google.com (mail-qt1-f171.google.com [209.85.160.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 560563A5E64 for ; Sun, 10 May 2026 23:17:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778455040; cv=none; b=DdtxO+tG7mturNfnCJWckcXx/mGV24ajjlVCdjytLSYmazIq/Zc5104kcyInMWKHxYk8n2BR77VzG197r+vGoE2QWEiaOQ/F5Fqvzkl9/HyfyXy671TUhKpIEGZoiOy5oXX96noD6RT2Zerx7uAusvvEHpZarAxT2gbPK3k9qGA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778455040; c=relaxed/simple; bh=dF5X1LUG4r0lQCtZsSoClebMfzIDwW0CmxgsuMikSXg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WxtW/pTqPCruonUiQk9agZACDHVg36Ilp8AFJAqcQCsldzGo3xPLrrZLbGc5Im/ncaAEV0QpbVv6gQTYf0nr53xNgogQBIocim/B1+bPSuagrg76cPvV598bCYt79vLCyQxD58b1u5r36Bf2uGLALOqOLRROkJvJOlrcLEffY8k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MpJmxHLT; arc=none smtp.client-ip=209.85.160.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MpJmxHLT" Received: by mail-qt1-f171.google.com with SMTP id d75a77b69052e-50d7c12e48eso33511221cf.1 for ; Sun, 10 May 2026 16:17:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778455038; x=1779059838; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=494zAqIk8zsiLJlcWBVQHIjNxVWqGVKEvJi7UcMRGg8=; b=MpJmxHLT/RYdk48gXTuE2zW7wR2N4qIz+GMK+X5jFZ6b942obo319ubHmJDOl1tKOG Ms+ZYR09foP3qTzXn1IrTTqdtzY6m726rPLD1C/uNkTlm7QrLaLls61b23aUviRRFV3P HWIY+bjLiHwv1ASy6C1tVWHP18vHAlgDhZHyuLKiZht33vrQZl+i5jQG5skFGiQm0P9w kPxPINAXBHVtTOADgXgNbvrWSg4Fs1m6j7DPkvz0W5QLFpXshjBvMbixugbfPD8uimao nReRlHz1kjd5NWrmfxqhRTJ2qzK+/4RGJcndJi/WEHv6zfOcWQ2SfApvgXTUqPMIS25D MSPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778455038; x=1779059838; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=494zAqIk8zsiLJlcWBVQHIjNxVWqGVKEvJi7UcMRGg8=; b=cHBq8ju/zFxRSYDd5ASLvR7y9CGKn6lrqal/7Ei1uHw7s4vYfstxSHi5H0lYUj6CNV XnqfwU5KRsSIfyE0JR/qfcl5iBI9ZcCTiuYamoS4t1aJsQDGOVJbyhkXwYVclS1zyqVK jPfrHIjiQp+vUs4vBz35Wk2nGLe9iQRLaQJmu4oP30GtcT9bSs5SO12UjkBb90GrsCUn kYUtyvami7SWTbKvdYDVGjKqE73ojprpLlVhISKC8RAAVLtZjFPJt9hF8nIACs5tbQ2r gWHYMqThGQ0GjKNKNnOW/JwnmA3Z+k2t57lt2jgO0kG4YdJswnc0Hvg7awERogvLfHKr bH0w== X-Forwarded-Encrypted: i=1; AFNElJ+Fnj1y48nwol7p0bpf4NJnBRwOw5tQyNylCJXzqgcuW9htZfu9iAVm0Bt2gGt57l/+w2ujer9e2R7oq8Y=@vger.kernel.org X-Gm-Message-State: AOJu0YxJY+EGIWY5VuabLisHlOBi+wE1sMNAOmiwktpGIZj8T2dJXBs4 ya8tLvE+tWxosiaNNjNoJzhZKuxLRY4cZnuEZoNgl+LOtzoFppBBLY9R X-Gm-Gg: Acq92OE3qLDUGknWS2OemU9fABIdaADaAl/RVhmb4OvFalB97q2Bqp1KTFZKgH24SoN 12UTxiJIPbMqFgOVaSqiHOdKykAB+WvRPYd/Y5Zx1mE+U5KKFmVFwESIKm4k7DvvQ46k/BJM5IA 0Ryfotl56wCfhoJWWeNQdc8p1rh1xdUam5nnMUKTPyfvKXPx1ee4L9i9BNCXcT3C4EHKCBhhwJC QMr0qn8YExrq+aCICWceHlknVB1x05fwRXkJRVpSiYOH/0Kn48EBVn2vB6pcxfHv0DdMWiexy0K z80/92r/Fzw7xxxosHDxKOcKjTt5PamyR4LhArMEGi2iQnam9eqBAdWI5DBXlj2hUWoIP5wOll5 njP/qK9imtA0B1IbZn6mps11gxVR0lL69eA79ZRJ7KIISP4JkZ+uST4BMjK/NzAT2D1QNr73tsU xJPG80vGnvXBgGVVp8jXOo4IQEFzwSDpr9xZZgwHgrk3tt1fnw2LTYaxg3PlgN7FBqvDUTmv1O4 75IbuM+dWbEJGAFO/XhGl91WLGV3TXWK2LFllqz50BmyjDKUhzfPA== X-Received: by 2002:a05:622a:2b48:b0:510:4174:507d with SMTP id d75a77b69052e-51475c8cdd4mr207655871cf.29.1778455038269; Sun, 10 May 2026 16:17:18 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-5148e830ddfsm75015031cf.27.2026.05.10.16.17.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 May 2026 16:17:17 -0700 (PDT) From: Michael Bommarito To: Mika Westerberg , linux-usb@vger.kernel.org Cc: Andreas Noever , Yehezkel Bernat , Andy Shevchenko , Michael Jamet , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 2/4] thunderbolt: property: reject dir_len < 4 to prevent size_t underflow Date: Sun, 10 May 2026 19:16:57 -0400 Message-ID: <20260510231715.2215605-2-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: <20260415123221.225149-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On the non-root path, __tb_property_parse_dir() takes dir_len from entry->length (u16 widened to size_t). Two distinct OOB conditions follow when entry->length < 4: 1. The non-root path begins with kmemdup(&block[dir_offset], sizeof(*dir->uuid), ...) which always reads 4 dwords from dir_offset. tb_property_entry_valid() only enforces dir_offset + entry->length <=3D block_len, so a crafted entry with dir_offset close to the end of the property block and entry->length in 0..3 passes that gate but lets the UUID copy run off the block (e.g. dir_offset =3D 497, dir_len =3D 3 in a 500-dword block reads block[497..501]). 2. After the kmemdup, content_len =3D dir_len - 4 underflows size_t to ~SIZE_MAX, nentries becomes SIZE_MAX / 4, and the entry walk runs OOB on each iteration until an entry fails validation or the kernel oopses on an unmapped page. Reject dir_len < 4 on the non-root path *before* the UUID kmemdup, which closes both holes. Also move INIT_LIST_HEAD(&dir->properties) up to immediately after the dir allocation so the new error-return path (and the existing uuid-alloc failure path) calling tb_property_free_dir() sees a walkable list rather than the zero-initialized NULL next/prev that list_for_each_entry_safe() would oops on. Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito --- drivers/thunderbolt/property.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c index 29cd60c11ac4..74c92f9801ff 100644 --- a/drivers/thunderbolt/property.c +++ b/drivers/thunderbolt/property.c @@ -174,10 +174,16 @@ static struct tb_property_dir *__tb_property_parse_di= r(const u32 *block, if (!dir) return NULL; =20 + INIT_LIST_HEAD(&dir->properties); + if (is_root) { content_offset =3D dir_offset + 2; content_len =3D dir_len; } else { + if (dir_len < 4) { + tb_property_free_dir(dir); + return NULL; + } dir->uuid =3D kmemdup(&block[dir_offset], sizeof(*dir->uuid), GFP_KERNEL); if (!dir->uuid) { @@ -191,8 +197,6 @@ static struct tb_property_dir *__tb_property_parse_dir(= const u32 *block, entries =3D (const struct tb_property_entry *)&block[content_offset]; nentries =3D content_len / (sizeof(*entries) / 4); =20 - INIT_LIST_HEAD(&dir->properties); - for (i =3D 0; i < nentries; i++) { struct tb_property *property; =20 --=20 2.53.0 From nobody Sat Jun 13 04:17:35 2026 Received: from mail-qt1-f179.google.com (mail-qt1-f179.google.com [209.85.160.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 93B8D3ACF1C for ; Sun, 10 May 2026 23:17:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778455042; cv=none; b=F5+1ANejI2n9Q+G9F6m9XVUXzR8GJQBi3QeFJEDD208rZIG64zorzQ5yUWNYdkqoHmcA0k/JfZZSrFRXK9rYJZ79Q4dWoZRvl4Vx5e60ujvIhvBLGzh+lf49EHAruO3vL8XWUIjFITthXZvyUG+zhWV+ctXbOOq9myS3WkE9ppg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778455042; c=relaxed/simple; bh=yCeRqCqV/OuDGj8AxgSGkFPw7mgtyvM8WobSjT8OE+A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PzEkeSmXfijeW9iI3L7JOSRCm4FXLCfDglt/X7cEAnvo1uU+Vq3ELRDXWccpesdOGWd3sXHcZUI7xRwEG2L20gyhnB+pUixVyuVB+f7ZFi0VE33ouWbqrx11fUgaTGUQPJB694Mcal0gDVwBsyDyADlUQ8TjvjSA6Pd8L1HFlH0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hcuNx532; arc=none smtp.client-ip=209.85.160.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hcuNx532" Received: by mail-qt1-f179.google.com with SMTP id d75a77b69052e-50d6ab4476eso36166901cf.2 for ; Sun, 10 May 2026 16:17:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778455039; x=1779059839; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1OOx8AfJKBXD4a8uWQ5sr/40g6B5/Qyw4VyuwfwX8dw=; b=hcuNx532i9KbR5N2F9qHc0SfssLjMmZi5vNP9MOfnwWxjwdSstSpu9KNZ1RTf/M1Vc p3bkff8f4kybBPePK2fWFCbdY8p+zNt1J8qycCiTmQY1g0Ir1YRh3dpWQrEdGJhMftcc ILWF1QFCXev3jzADC1QDVxrZCNePIvg82BciefwXBliKP067TBGZmDSLH9I1T3dq1ptd UR+O9Ou59RgZFyUWKbf6TO5y419iD9Mlr0c3Rzw4r8LpY3GDoM/CR5PpERgizh7rVmMU 8Th7Q2djzpSGmb1P8hGC2cLl9RVZEVr5ffDloDR3uoPZg5yCkoR7cXwazT1/9SWtsp8j GVnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778455039; x=1779059839; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=1OOx8AfJKBXD4a8uWQ5sr/40g6B5/Qyw4VyuwfwX8dw=; b=L3dua8SlqWruoFBmnuYVBP9YdP0W3nQ2afLW9r5/Lzw/ia4r6osVBYyL2OL0ixbIR6 2y1VNuRKAJflEHFVjAG1ybCKv43DKJDNJaAF40KM8e6IjIkALImIxB1M3INeGEfVzoiC eMUA3AP/ymk6c3FtEKRy8mHjaN+UZ9Qn0rYbIxIRKTBA2GJ+XFwZoakh73YwYl0BGQOV kCqtzfKQuc8+yNrUXGwoHinqOnE5pNGSvDLX9VuCo9r+2gS6mRK9cFBUg6Ig2LnCm5v1 yTZBu6a+EX4b1odzME+1J69nh74ODYWX2jJK24d01thV0Z/R9uFh8bLy1AE3NkvjBpcC aHyg== X-Forwarded-Encrypted: i=1; AFNElJ9OM0w8XQDBKDk00ByJYeEvrIKx5WEd8ziFhLn/UbffhWbUO0qpRiKSGsTNxySpjR7tiKIrXulyscAIc2w=@vger.kernel.org X-Gm-Message-State: AOJu0YyZZGMPaLbrqbKb6Nnmx4jzuuASl7gn5vHc/75mPXDqU2v7rdjX 12sN8CeFZY/FZ91j8GmfAtydS68WFSRUW2qofOh080ecyPCuWzubpmob X-Gm-Gg: Acq92OGl8lfnE1uOE/PIEDtixuCc7jQjPaaFH6yZanIuCPxNPMCI2xoJprPFU5gqztD 5LGe6gVG2izET8frYeGRKj+Di9xMce6ZpGHWYhoZlqqVbCWMhE0RXy10Mg26KV5s85pK0mNLbct WqV/uLh65y4EAx1LJ76KUw5ZJ+1lCgB74PpWn5fegm3EwgiGPVZtcoJmQX3DiYMSBX2tnzwmTZg aXX1m8KBzdQNEpQ7I/XTZaXvM5fxS5niJKEKm9bEKbXS9iEFNafzpdqJOjvahp+ihJQWolSzfdQ sHVsHCGy4+uTIQ75KDcZ/fnIGbbnj5TydR3XZJGtjowcqqM8/m9byPRSrthA5FQSVf2w3jx9NrF d+IhGNiXH1Rtag4qNUyeOIrEQXZ2Oeh5WHc4encOFSyHe7K5vzjpqYQz384HfU7zuKHVL8wfWLi eHly5f1Jxufm8N/fXAD9Nj3beunYTYJwqoJrQ6zjXqwis1QSxoEAdA4FnX6qlkrruesVF0ZNcV+ nuLHrw7fYMeuRnl7hCe0rWf36ub/xKk/6mkTK0RzGU= X-Received: by 2002:a05:622a:480b:b0:50b:2876:586 with SMTP id d75a77b69052e-514619ddc56mr310925521cf.5.1778455039551; Sun, 10 May 2026 16:17:19 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-5148e830ddfsm75015031cf.27.2026.05.10.16.17.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 May 2026 16:17:19 -0700 (PDT) From: Michael Bommarito To: Mika Westerberg , linux-usb@vger.kernel.org Cc: Andreas Noever , Yehezkel Bernat , Andy Shevchenko , Michael Jamet , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 3/4] thunderbolt: property: cap recursion depth in __tb_property_parse_dir() Date: Sun, 10 May 2026 19:16:58 -0400 Message-ID: <20260510231715.2215605-3-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: <20260415123221.225149-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A DIRECTORY entry's value field is used as the dir_offset for a recursive call into __tb_property_parse_dir() with no depth counter. A crafted peer that chains DIRECTORY entries into a back-reference loop drives the parser until the kernel stack is exhausted and the guard page fires. Any untrusted XDomain peer (cable, dock, in-line inspector, adjacent host) that reaches the PROPERTIES_REQUEST control-plane exchange can trigger this without authentication. Thread a depth counter through tb_property_parse() and __tb_property_parse_dir(), and reject blocks that exceed TB_PROPERTY_MAX_DEPTH =3D 8. That is comfortably larger than any observed legitimate XDomain layout. Operators who do not need XDomain host-to-host discovery can disable the path entirely with thunderbolt.xdomain=3D0 on the kernel command line. Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito --- drivers/thunderbolt/property.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c index 74c92f9801ff..da2c59a17db5 100644 --- a/drivers/thunderbolt/property.c +++ b/drivers/thunderbolt/property.c @@ -35,10 +35,11 @@ struct tb_property_dir_entry { }; =20 #define TB_PROPERTY_ROOTDIR_MAGIC 0x55584401 +#define TB_PROPERTY_MAX_DEPTH 8 =20 static struct tb_property_dir *__tb_property_parse_dir(const u32 *block, size_t block_len, unsigned int dir_offset, size_t dir_len, - bool is_root); + bool is_root, unsigned int depth); =20 static inline void parse_dwdata(void *dst, const void *src, size_t dwords) { @@ -97,7 +98,8 @@ tb_property_alloc(const char *key, enum tb_property_type = type) } =20 static struct tb_property *tb_property_parse(const u32 *block, size_t bloc= k_len, - const struct tb_property_entry *entry) + const struct tb_property_entry *entry, + unsigned int depth) { char key[TB_PROPERTY_KEY_SIZE + 1]; struct tb_property *property; @@ -118,7 +120,7 @@ static struct tb_property *tb_property_parse(const u32 = *block, size_t block_len, switch (property->type) { case TB_PROPERTY_TYPE_DIRECTORY: dir =3D __tb_property_parse_dir(block, block_len, entry->value, - entry->length, false); + entry->length, false, depth + 1); if (!dir) { kfree(property); return NULL; @@ -163,13 +165,17 @@ static struct tb_property *tb_property_parse(const u3= 2 *block, size_t block_len, } =20 static struct tb_property_dir *__tb_property_parse_dir(const u32 *block, - size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root) + size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root, + unsigned int depth) { const struct tb_property_entry *entries; size_t i, content_len, nentries; unsigned int content_offset; struct tb_property_dir *dir; =20 + if (depth > TB_PROPERTY_MAX_DEPTH) + return NULL; + dir =3D kzalloc_obj(*dir); if (!dir) return NULL; @@ -200,7 +206,7 @@ static struct tb_property_dir *__tb_property_parse_dir(= const u32 *block, for (i =3D 0; i < nentries; i++) { struct tb_property *property; =20 - property =3D tb_property_parse(block, block_len, &entries[i]); + property =3D tb_property_parse(block, block_len, &entries[i], depth); if (!property) { tb_property_free_dir(dir); return NULL; @@ -239,7 +245,7 @@ struct tb_property_dir *tb_property_parse_dir(const u32= *block, return NULL; =20 return __tb_property_parse_dir(block, block_len, 0, rootdir->length, - true); + true, 0); } =20 /** --=20 2.53.0 From nobody Sat Jun 13 04:17:35 2026 Received: from mail-qv1-f43.google.com (mail-qv1-f43.google.com [209.85.219.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 298C334572B for ; Sun, 10 May 2026 23:17:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778455043; cv=none; b=MILb1oZYjIdUP8lgmfTlXbe0MQKPgsKf36rSulR7yD6TrnZU1WCdRp9TIIIcuXnUFu/rk8e3hDEz9q6D0D3VYHOMXbh4VkOcMiCaa4S+go8/bJ5MDKLM2Z/6PR0Vkw2WX0kWmYqVjK3idZNDIoo4uNmqwao7pdp2DXzeDwLTDV4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778455043; c=relaxed/simple; bh=3ZotJzSuzGicOvCuyTT04CpVUaZMCdOlnmm3Sl4A4KQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XQJ7u2PaFNtJpN68FBAVhFLvZBp2IZnAzpMZ56Asq1T84hCcyQ4eupz5fBI2qAH7obvuGMe1PsdNXgLuSLHGpoCwRCaweO6DWPCwUVgjeVBPZcWWVSZ9rqB7Co11/6scO/qat0hT4K8iNkEA8p3kOtsCUKFihcaSoCL101YSvW4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pMbJTZQQ; arc=none smtp.client-ip=209.85.219.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pMbJTZQQ" Received: by mail-qv1-f43.google.com with SMTP id 6a1803df08f44-8b5cda2dab9so39980336d6.0 for ; Sun, 10 May 2026 16:17:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778455041; x=1779059841; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PRieg0Nv/MKqd0vc2qdpdsuiA8KS3tu0ewo/5761Poo=; b=pMbJTZQQaBayl1qRlMd7oL8+ZbL6aZX7LSpjMFyjqblfvMZ+O5mIUdEaN7SnEXr6op 6/ZHydGLBc29mGeHh7hMf3NH3y3CZf3ZU9qkYnum0BNnAUb7ldiwkBLnisiYriEI9ViT AqZfPVygoHMWtnLC0eSBmlSpT1dt3jlz4LBxhMsKyisQypKuVQbzEy6GkCaGii9Tz7NK jBieCFi8je6ocFTXpVHHAK92q6ogpArPrxc0uSh1ohh4qqG0D9nEiP3i4rd0Sv5Zh7+n fQzkl7kp55jJVsVVT3zPklzcray3Ovh8n6uos/G+pMmJg3e1wX40nxkWif4tNypT+gcR +YGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778455041; x=1779059841; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=PRieg0Nv/MKqd0vc2qdpdsuiA8KS3tu0ewo/5761Poo=; b=p8mnjsnOeqUJHaRiv1yTTVd87BDEmgWfx6QOOnzS930wyo35groONcJqP9cGxiQNFS hof5wOTdJ5Aj09AMDuRsQTNLDDe+/sJUZA6LsQHnj7EYMNfBC2Lumsuyx0LLF8qztsYc GAc9FafLzUdvPUyRZDlMAEjXIK3xV+z7ftNdHM+jKAflGAQ9bym1C2ctwhl8Y+LV55JN /WXgEdv1PcOPBo0YM10GJ4u3CTiZwX1okLIOxF3w+lihHG1H9NhEtIi9pIKIl1+ARh9Y ZHmTaawYQfXDplSkAAP5A1ewbV+76kd+Q+cGxj5iSW3rTRwSq6oWa+1y/i0Ehi22aqn4 eAKQ== X-Forwarded-Encrypted: i=1; AFNElJ8OVOT0Nlt6e8OOYB5YqgmG2D3WNWsAComEUsE4B75K+usE0OpMMI+48V02hKjvuQYw48Op/YA1mG3xrho=@vger.kernel.org X-Gm-Message-State: AOJu0YzWhwf3r+jYRE9x+wk+sQTk8NOAbBDd9dbnj63FYM8EjLbXK+K8 4LqgZ2D43VddlCWV6u2i4WdO8Ay+f7ZtW7sDSBUTiP0GbWv8JrYeZM6/ X-Gm-Gg: Acq92OHOtScL3Ele25IzClKt/pdSAsN7ErklLSSQssJi1Kd1Ez6G7YtEaUcDPQNAUya iHdDHpjYe3QbLZ6pmWCUFg0RvGtzMO7Tze6l0Gaz2zUP9EXm4cl6qFa6TbLzzjbXMcmlt1A+GUE gNtqcN7ImJjAP5PtaMUUFEfVK4QUCJUiQj5Y9EtMV6zeGnoMTrq0gLUS/gre7DzPLh1xDNyE4S+ zfn75HRS2p6yA9LHAvxpsf4HctC4O6Ov4e4AgOVgrDi87SWnq9BPyja/dSl3VyQqsuqEAobOXXj Qy7w0F/n6DXMV8K+tVsQuMTXq/sXzT8QXR4BsBZmQpnYZRq/Trq4c5FkvkFqm4qlEeA1H2g4fEr ShYfDXBpTs/Yti1+ndIOMC+wbUBU09Dp5BQNSsdF8pHnzCwkOrYx1Y5yd4IpJ6vmzhdde/j4PFT hnASYh3QICP8HIbl1Wb30xqCkS7iB24bMW1XJOfpzpeD3pwh2lC+1L21AtEKpJbzOEoqk+MmHZq nUyp9qsKwJdhOrDywihlQd7xFUHLc+9oEVQ4vUYub4= X-Received: by 2002:a05:622a:d5:b0:50e:18f9:b5e2 with SMTP id d75a77b69052e-51475b2acdfmr182856011cf.6.1778455040887; Sun, 10 May 2026 16:17:20 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-5148e830ddfsm75015031cf.27.2026.05.10.16.17.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 May 2026 16:17:20 -0700 (PDT) From: Michael Bommarito To: Mika Westerberg , linux-usb@vger.kernel.org Cc: Andreas Noever , Yehezkel Bernat , Andy Shevchenko , Michael Jamet , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 4/4] thunderbolt: test: add KUnit regression tests for XDomain property parser Date: Sun, 10 May 2026 19:16:59 -0400 Message-ID: <20260510231715.2215605-4-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: <20260415123221.225149-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add three KUnit cases that exercise the defects fixed by the sibling commits in this series by feeding crafted XDomain property blocks to tb_property_parse_dir(): tb_test_property_parse_u32_wrap - entry->value =3D 0xffffff00 and entry->length =3D 0x100 so their u32 sum 0x100000000 wraps to 0 under the block_len guard; without the fix the subsequent parse_dwdata() reads attacker-directed OOB memory. tb_test_property_parse_recursion - two DIRECTORY entries pointing at each other, driving __tb_property_parse_dir() recursion; without the fix the kernel stack is exhausted. tb_test_property_parse_dir_len_underflow - a DIRECTORY entry with length < 4 placed near the end of the block so the non-root UUID kmemdup of 4 dwords from dir_offset reads OOB before the later content_len =3D dir_len - 4 underflow path is reached. Each test asserts tb_property_parse_dir() returns NULL on the crafted input. With CONFIG_KASAN=3Dy, running these on the pre-fix kernel produces an oops inside __tb_property_parse_dir or its callees: u32_wrap takes a page fault on the KASAN shadow lookup for the wild ~16 GiB OOB offset; recursion trips a KASAN out-of-bounds report in __unwind_start as the per-task kernel stack is consumed; dir_len_underflow trips a KASAN slab-out-of-bounds report in kmemdup_noprof reading 16 bytes past the 28-byte block. Post-fix they pass cleanly. The crafted blocks are populated by writing u32 dwords directly, matching the existing root_directory[] style used elsewhere in this file rather than imposing a private struct overlay. Run with: ./tools/testing/kunit/kunit.py run --arch=3Dx86_64 \ --kconfig_add CONFIG_PCI=3Dy --kconfig_add CONFIG_NVMEM=3Dy \ --kconfig_add CONFIG_USB4=3Dy --kconfig_add CONFIG_USB4_KUNIT_TEST=3Dy \ --kconfig_add CONFIG_KASAN=3Dy 'thunderbolt.tb_test_property_parse_*' Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- drivers/thunderbolt/test.c | 126 +++++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) diff --git a/drivers/thunderbolt/test.c b/drivers/thunderbolt/test.c index 1f4318249c22..f41fabf15456 100644 --- a/drivers/thunderbolt/test.c +++ b/drivers/thunderbolt/test.c @@ -2852,7 +2852,133 @@ static void tb_test_property_copy(struct kunit *tes= t) tb_property_free_dir(src); } =20 +/* + * Reproducers for three memory-safety defects in + * drivers/thunderbolt/property.c reached from a crafted XDomain + * PROPERTIES_RESPONSE payload. Without the fix these trip KASAN or + * smash the kernel stack; with the fix each returns NULL cleanly. + * + * The on-wire entry layout matches struct tb_property_entry in + * property.c (private to that translation unit): u32 key_hi, u32 + * key_lo, then a packed u32 =3D (type << 24) | (reserved << 16) | + * length, then u32 value. Each entry is 4 dwords. + */ + +static void tb_test_property_parse_u32_wrap(struct kunit *test) +{ + /* + * 0x102 dwords: enough for the entry's length field (0x100) to + * pass the "entry->length > block_len" gate so the wrap check + * is actually exercised. parse_dwdata's downstream OOB read + * lands ~16 GiB past the allocation regardless. + */ + u32 *block =3D kunit_kzalloc(test, 0x102 * sizeof(u32), GFP_KERNEL); + struct tb_property_dir *dir; + + KUNIT_ASSERT_NOT_NULL(test, block); + + block[0] =3D 0x55584401; /* "UXD" v1 magic */ + block[1] =3D 0x00000004; /* Root directory length: one entry */ + + /* + * DATA entry whose value 0xffffff00 + length 0x100 wrap to 0 + * in u32, passing the sum <=3D block_len guard even though the + * real offset is far past the allocation. + */ + block[2] =3D 0x61616161; /* key_hi */ + block[3] =3D 0x61616161; /* key_lo */ + block[4] =3D 0x64000100; /* type=3DDATA, reserved=3D0, length=3D0x100 */ + block[5] =3D 0xffffff00; /* value */ + + dir =3D tb_property_parse_dir(block, 0x102); + KUNIT_EXPECT_NULL(test, dir); + tb_property_free_dir(dir); +} + +static void tb_test_property_parse_recursion(struct kunit *test) +{ + /* + * 10 dwords: rootdir header (2) + parent DIRECTORY entry (4) + + * the child entry that lives at dir_offset(2) + UUID(4) =3D 6, + * occupying block[6..9]. Each recursive level re-reads the + * same block[6..9] as its first child entry, which is itself + * a DIRECTORY pointing at offset 2. + */ + u32 *block =3D kunit_kzalloc(test, 10 * sizeof(u32), GFP_KERNEL); + struct tb_property_dir *dir; + + KUNIT_ASSERT_NOT_NULL(test, block); + + block[0] =3D 0x55584401; /* "UXD" v1 magic */ + block[1] =3D 0x00000004; /* Root directory length: one entry */ + + /* + * DIRECTORY entry pointing at dir_offset =3D 2 with length =3D 8. + * Non-root parse derives content_offset =3D 6, content_len =3D 4, + * nentries =3D 1. block[6..9] is read both as the parent's UUID + * (kmemdup'd into dir->uuid) and as the single child entry -- + * which is itself a DIRECTORY pointing at offset 2, so the + * recursion never terminates and the kernel stack is exhausted. + */ + block[2] =3D 0x61616161; /* key_hi */ + block[3] =3D 0x61616161; /* key_lo */ + block[4] =3D 0x44000008; /* type=3DDIRECTORY, reserved=3D0, length=3D8 */ + block[5] =3D 0x00000002; /* value =3D dir_offset */ + + block[6] =3D 0x62626262; /* doubles as UUID dword 0 / child key_hi */ + block[7] =3D 0x62626262; /* doubles as UUID dword 1 / child key_lo */ + block[8] =3D 0x44000008; /* type=3DDIRECTORY, reserved=3D0, length=3D8 */ + block[9] =3D 0x00000002; /* value =3D dir_offset (back at parent) */ + + dir =3D tb_property_parse_dir(block, 10); + KUNIT_EXPECT_NULL(test, dir); + tb_property_free_dir(dir); +} + +static void tb_test_property_parse_dir_len_underflow(struct kunit *test) +{ + /* + * Allocate exactly 7 dwords (28 bytes) so the kmalloc-32 chunk + * leaves a 4-byte slab redzone tail that KASAN-Generic can flag. + * With block_len =3D 7, dir_offset =3D 4, dir_len =3D 3, the non-root + * UUID kmemdup reads 16 bytes from byte 16, so bytes 28..31 fall + * in the redzone and trip a KASAN slab-out-of-bounds report on + * the pre-fix kernel. Sizing the buffer at a power of two (32, + * 64, ...) puts the over-read into the slab cache tail where + * KASAN's generic shadow does not flag it, and the test reduces + * to the downstream content_len =3D dir_len - 4 underflow path + * which also returns NULL. + */ + u32 *block =3D kunit_kzalloc(test, 7 * sizeof(u32), GFP_KERNEL); + struct tb_property_dir *dir; + + KUNIT_ASSERT_NOT_NULL(test, block); + + block[0] =3D 0x55584401; /* "UXD" v1 magic */ + block[1] =3D 0x00000004; /* Root directory length: one entry */ + + /* + * DIRECTORY entry with length =3D 3 pointing at dir_offset =3D 4. + * tb_property_entry_valid() permits value(4) + length(3) <=3D + * block_len(7). Non-root parse begins with a kmemdup of 4 + * dwords from dir_offset for the UUID; that read runs past the + * 28-byte allocation before the dir_len < 4 reject would fire. + */ + block[2] =3D 0x61616161; /* key_hi */ + block[3] =3D 0x61616161; /* key_lo */ + block[4] =3D 0x44000003; /* type=3DDIRECTORY, reserved=3D0, length=3D3 */ + block[5] =3D 0x00000004; /* value =3D dir_offset */ + /* block[6] is the start of the four UUID dwords; block[7..] is OOB. */ + + dir =3D tb_property_parse_dir(block, 7); + KUNIT_EXPECT_NULL(test, dir); + tb_property_free_dir(dir); +} + static struct kunit_case tb_test_cases[] =3D { + KUNIT_CASE(tb_test_property_parse_u32_wrap), + KUNIT_CASE(tb_test_property_parse_recursion), + KUNIT_CASE(tb_test_property_parse_dir_len_underflow), KUNIT_CASE(tb_test_path_basic), KUNIT_CASE(tb_test_path_not_connected_walk), KUNIT_CASE(tb_test_path_single_hop_walk), --=20 2.53.0