linux-wpan.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit
@ 2018-03-27 13:45 harrymorris12
  2018-03-27 13:45 ` [PATCH 1/1] ieee802154: ca8210: fix uninitialised data read harrymorris12
  2018-03-28 10:23 ` [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit Harry Morris
  0 siblings, 2 replies; 3+ messages in thread
From: harrymorris12 @ 2018-03-27 13:45 UTC (permalink / raw)
  To: linux-wpan; +Cc: stefan, aring, Harry Morris

From: Harry Morris <h.morris@cascoda.com>

This patchset fixes a small bug in the ca8210 driver discovered by Domen Puncer Kugler <domen.puncer@samsung.com>.

The bug allows for uninitialised memory to be sent out over SPI by writing unexpected commands to the debug interface. The bug is described in more detail in 1/1.

This fix has been tested on a Raspberry Pi running kernel 4.9.37-v7+:

harry@raspberrypi:~ $ sudo bash -c 'echo -ne "\x4f\x10" > /sys/kernel/debug/ca8210'
bash: line 0: echo: write error: Message too long
harry@raspberrypi:~ $

Harry Morris (1):
  ieee802154: ca8210: fix uninitialised data read

 drivers/net/ieee802154/ca8210.c | 7 +++++++
 1 file changed, 7 insertions(+)

-- 
2.11.0


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 1/1] ieee802154: ca8210: fix uninitialised data read
  2018-03-27 13:45 [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit harrymorris12
@ 2018-03-27 13:45 ` harrymorris12
  2018-03-28 10:23 ` [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit Harry Morris
  1 sibling, 0 replies; 3+ messages in thread
From: harrymorris12 @ 2018-03-27 13:45 UTC (permalink / raw)
  To: linux-wpan; +Cc: stefan, aring, Harry Morris

From: Harry Morris <h.morris@cascoda.com>

In ca8210_test_int_user_write() a user can request the transfer of a
frame with a length field (command.length) that is longer than the
actual buffer provided (len). In this scenario the driver will copy
the buffer contents into the uninitialised command[] buffer, then
transfer <data.length> bytes over the SPI even though only <len> bytes
had been populated, potentially leaking sensitive kernel memory.

Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com>
Signed-off-by: Harry Morris <h.morris@cascoda.com>
Tested-by: Harry Morris <h.morris@cascoda.com>
---
 drivers/net/ieee802154/ca8210.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index 377af43b8..06cac8d3f 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -2511,6 +2511,13 @@ static ssize_t ca8210_test_int_user_write(
 		);
 		return -EIO;
 	}
+	if (len != command[1] + 2) {
+		dev_err(
+			&priv->spi->dev,
+			"write len does not match packet length field\n"
+		);
+		return -EMSGSIZE;
+	}
 
 	ret = ca8210_test_check_upstream(command, priv->spi);
 	if (ret == 0) {
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit
  2018-03-27 13:45 [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit harrymorris12
  2018-03-27 13:45 ` [PATCH 1/1] ieee802154: ca8210: fix uninitialised data read harrymorris12
@ 2018-03-28 10:23 ` Harry Morris
  1 sibling, 0 replies; 3+ messages in thread
From: Harry Morris @ 2018-03-28 10:23 UTC (permalink / raw)
  To: linux-wpan; +Cc: stefan, aring

Please ignore this for the time being, I'll be issuing a v2 soon...

Harry


On 27/03/2018 14:45, harrymorris12@gmail.com wrote:
> From: Harry Morris <h.morris@cascoda.com>
>
> This patchset fixes a small bug in the ca8210 driver discovered by Domen Puncer Kugler <domen.puncer@samsung.com>.
>
> The bug allows for uninitialised memory to be sent out over SPI by writing unexpected commands to the debug interface. The bug is described in more detail in 1/1.
>
> This fix has been tested on a Raspberry Pi running kernel 4.9.37-v7+:
>
> harry@raspberrypi:~ $ sudo bash -c 'echo -ne "\x4f\x10" > /sys/kernel/debug/ca8210'
> bash: line 0: echo: write error: Message too long
> harry@raspberrypi:~ $
>
> Harry Morris (1):
>    ieee802154: ca8210: fix uninitialised data read
>
>   drivers/net/ieee802154/ca8210.c | 7 +++++++
>   1 file changed, 7 insertions(+)
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-28 10:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-27 13:45 [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit harrymorris12
2018-03-27 13:45 ` [PATCH 1/1] ieee802154: ca8210: fix uninitialised data read harrymorris12
2018-03-28 10:23 ` [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit Harry Morris

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).