* [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit
@ 2018-03-27 13:45 harrymorris12
2018-03-27 13:45 ` [PATCH 1/1] ieee802154: ca8210: fix uninitialised data read harrymorris12
2018-03-28 10:23 ` [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit Harry Morris
0 siblings, 2 replies; 3+ messages in thread
From: harrymorris12 @ 2018-03-27 13:45 UTC (permalink / raw)
To: linux-wpan; +Cc: stefan, aring, Harry Morris
From: Harry Morris <h.morris@cascoda.com>
This patchset fixes a small bug in the ca8210 driver discovered by Domen Puncer Kugler <domen.puncer@samsung.com>.
The bug allows for uninitialised memory to be sent out over SPI by writing unexpected commands to the debug interface. The bug is described in more detail in 1/1.
This fix has been tested on a Raspberry Pi running kernel 4.9.37-v7+:
harry@raspberrypi:~ $ sudo bash -c 'echo -ne "\x4f\x10" > /sys/kernel/debug/ca8210'
bash: line 0: echo: write error: Message too long
harry@raspberrypi:~ $
Harry Morris (1):
ieee802154: ca8210: fix uninitialised data read
drivers/net/ieee802154/ca8210.c | 7 +++++++
1 file changed, 7 insertions(+)
--
2.11.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/1] ieee802154: ca8210: fix uninitialised data read
2018-03-27 13:45 [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit harrymorris12
@ 2018-03-27 13:45 ` harrymorris12
2018-03-28 10:23 ` [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit Harry Morris
1 sibling, 0 replies; 3+ messages in thread
From: harrymorris12 @ 2018-03-27 13:45 UTC (permalink / raw)
To: linux-wpan; +Cc: stefan, aring, Harry Morris
From: Harry Morris <h.morris@cascoda.com>
In ca8210_test_int_user_write() a user can request the transfer of a
frame with a length field (command.length) that is longer than the
actual buffer provided (len). In this scenario the driver will copy
the buffer contents into the uninitialised command[] buffer, then
transfer <data.length> bytes over the SPI even though only <len> bytes
had been populated, potentially leaking sensitive kernel memory.
Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com>
Signed-off-by: Harry Morris <h.morris@cascoda.com>
Tested-by: Harry Morris <h.morris@cascoda.com>
---
drivers/net/ieee802154/ca8210.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index 377af43b8..06cac8d3f 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -2511,6 +2511,13 @@ static ssize_t ca8210_test_int_user_write(
);
return -EIO;
}
+ if (len != command[1] + 2) {
+ dev_err(
+ &priv->spi->dev,
+ "write len does not match packet length field\n"
+ );
+ return -EMSGSIZE;
+ }
ret = ca8210_test_check_upstream(command, priv->spi);
if (ret == 0) {
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit
2018-03-27 13:45 [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit harrymorris12
2018-03-27 13:45 ` [PATCH 1/1] ieee802154: ca8210: fix uninitialised data read harrymorris12
@ 2018-03-28 10:23 ` Harry Morris
1 sibling, 0 replies; 3+ messages in thread
From: Harry Morris @ 2018-03-28 10:23 UTC (permalink / raw)
To: linux-wpan; +Cc: stefan, aring
Please ignore this for the time being, I'll be issuing a v2 soon...
Harry
On 27/03/2018 14:45, harrymorris12@gmail.com wrote:
> From: Harry Morris <h.morris@cascoda.com>
>
> This patchset fixes a small bug in the ca8210 driver discovered by Domen Puncer Kugler <domen.puncer@samsung.com>.
>
> The bug allows for uninitialised memory to be sent out over SPI by writing unexpected commands to the debug interface. The bug is described in more detail in 1/1.
>
> This fix has been tested on a Raspberry Pi running kernel 4.9.37-v7+:
>
> harry@raspberrypi:~ $ sudo bash -c 'echo -ne "\x4f\x10" > /sys/kernel/debug/ca8210'
> bash: line 0: echo: write error: Message too long
> harry@raspberrypi:~ $
>
> Harry Morris (1):
> ieee802154: ca8210: fix uninitialised data read
>
> drivers/net/ieee802154/ca8210.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-28 10:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-27 13:45 [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit harrymorris12
2018-03-27 13:45 ` [PATCH 1/1] ieee802154: ca8210: fix uninitialised data read harrymorris12
2018-03-28 10:23 ` [PATCH 0/1] ieee802154: ca8210: Fix potential security exploit Harry Morris
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).