[PATCH v2 0/1] ieee802154: ca8210: Fix potential security exploit

[PATCH v2 0/1] ieee802154: ca8210: Fix potential security exploit

[harrymorris12]

From: Harry Morris <h.morris@cascoda.com>

v2 to catch length==1 packets or malformed packets read in ca8210_test_check_upstream()

This patchset fixes a small bug in the ca8210 driver discovered by Domen Puncer Kugler <domen.puncer@samsung.com>.

The bug allows for uninitialised memory to be sent out over SPI by writing unexpected commands to the debug interface. The bug is described in more detail in 1/1.

This fix has been tested on a Raspberry Pi running kernel 4.9.37-v7+:

harry@raspberrypi:~ $ sudo bash -c 'echo -ne "\x4f\x10" > /sys/kernel/debug/ca8210'
bash: line 0: echo: write error: Invalid exchange
harry@raspberrypi:~ $

Harry Morris (1):
  ieee802154: ca8210: fix uninitialised data read

 drivers/net/ieee802154/ca8210.c | 7 +++++++
 1 file changed, 7 insertions(+)

-- 
2.11.0

[PATCH v2 1/1] ieee802154: ca8210: fix uninitialised data read

[harrymorris12]

From: Harry Morris <h.morris@cascoda.com>

In ca8210_test_int_user_write() a user can request the transfer of a
frame with a length field (command.length) that is longer than the
actual buffer provided (len). In this scenario the driver will copy
the buffer contents into the uninitialised command[] buffer, then
transfer <data.length> bytes over the SPI even though only <len> bytes
had been populated, potentially leaking sensitive kernel memory.

Also the first 6 bytes of the command buffer must be initialised in case
a malformed, short packet is written and the uninitialised bytes are
read in ca8210_test_check_upstream.

Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com>
Signed-off-by: Harry Morris <h.morris@cascoda.com>
Tested-by: Harry Morris <h.morris@cascoda.com>
---
 drivers/net/ieee802154/ca8210.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index 377af43b8..58299fb66 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -2493,13 +2493,14 @@ static ssize_t ca8210_test_int_user_write(
 	struct ca8210_priv *priv = filp->private_data;
 	u8 command[CA8210_SPI_BUF_SIZE];
 
-	if (len > CA8210_SPI_BUF_SIZE) {
+	memset(command, SPI_IDLE, 6);
+	if (len > CA8210_SPI_BUF_SIZE || len < 2) {
 		dev_warn(
 			&priv->spi->dev,
-			"userspace requested erroneously long write (%zu)\n",
+			"userspace requested erroneous write length (%zu)\n",
 			len
 		);
-		return -EMSGSIZE;
+		return -EBADE;
 	}
 
 	ret = copy_from_user(command, in_buf, len);
@@ -2511,6 +2512,13 @@ static ssize_t ca8210_test_int_user_write(
 		);
 		return -EIO;
 	}
+	if (len != command[1] + 2) {
+		dev_err(
+			&priv->spi->dev,
+			"write len does not match packet length field\n"
+		);
+		return -EBADE;
+	}
 
 	ret = ca8210_test_check_upstream(command, priv->spi);
 	if (ret == 0) {
-- 
2.11.0

Re: [PATCH v2 1/1] ieee802154: ca8210: fix uninitialised data read

[Stefan Schmidt]

Hello.


On 03/28/2018 12:54 PM, harrymorris12@gmail.com wrote:
> From: Harry Morris <h.morris@cascoda.com>
>
> In ca8210_test_int_user_write() a user can request the transfer of a
> frame with a length field (command.length) that is longer than the
> actual buffer provided (len). In this scenario the driver will copy
> the buffer contents into the uninitialised command[] buffer, then
> transfer <data.length> bytes over the SPI even though only <len> bytes
> had been populated, potentially leaking sensitive kernel memory.
>
> Also the first 6 bytes of the command buffer must be initialised in case
> a malformed, short packet is written and the uninitialised bytes are
> read in ca8210_test_check_upstream.
>
> Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com>
> Signed-off-by: Harry Morris <h.morris@cascoda.com>
> Tested-by: Harry Morris <h.morris@cascoda.com>
> ---
>  drivers/net/ieee802154/ca8210.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
> index 377af43b8..58299fb66 100644
> --- a/drivers/net/ieee802154/ca8210.c
> +++ b/drivers/net/ieee802154/ca8210.c
> @@ -2493,13 +2493,14 @@ static ssize_t ca8210_test_int_user_write(
>  	struct ca8210_priv *priv = filp->private_data;
>  	u8 command[CA8210_SPI_BUF_SIZE];
>  
> -	if (len > CA8210_SPI_BUF_SIZE) {
> +	memset(command, SPI_IDLE, 6);
> +	if (len > CA8210_SPI_BUF_SIZE || len < 2) {
>  		dev_warn(
>  			&priv->spi->dev,
> -			"userspace requested erroneously long write (%zu)\n",
> +			"userspace requested erroneous write length (%zu)\n",
>  			len
>  		);
> -		return -EMSGSIZE;
> +		return -EBADE;
>  	}
>  
>  	ret = copy_from_user(command, in_buf, len);
> @@ -2511,6 +2512,13 @@ static ssize_t ca8210_test_int_user_write(
>  		);
>  		return -EIO;
>  	}
> +	if (len != command[1] + 2) {
> +		dev_err(
> +			&priv->spi->dev,
> +			"write len does not match packet length field\n"
> +		);
> +		return -EBADE;
> +	}
>  
>  	ret = ca8210_test_check_upstream(command, priv->spi);
>  	if (ret == 0) {

This patch has been applied to the wpan-next tree and will be
part of the next pull request to net-next. Thanks!

regards
Stefan Schmidt