* [PATCH v2 0/1] ieee802154: ca8210: Fix potential security exploit
@ 2018-03-28 10:54 harrymorris12
2018-03-28 10:54 ` [PATCH v2 1/1] ieee802154: ca8210: fix uninitialised data read harrymorris12
0 siblings, 1 reply; 3+ messages in thread
From: harrymorris12 @ 2018-03-28 10:54 UTC (permalink / raw)
To: linux-wpan; +Cc: stefan, aring, domen.puncer, Harry Morris
From: Harry Morris <h.morris@cascoda.com>
v2 to catch length==1 packets or malformed packets read in ca8210_test_check_upstream()
This patchset fixes a small bug in the ca8210 driver discovered by Domen Puncer Kugler <domen.puncer@samsung.com>.
The bug allows for uninitialised memory to be sent out over SPI by writing unexpected commands to the debug interface. The bug is described in more detail in 1/1.
This fix has been tested on a Raspberry Pi running kernel 4.9.37-v7+:
harry@raspberrypi:~ $ sudo bash -c 'echo -ne "\x4f\x10" > /sys/kernel/debug/ca8210'
bash: line 0: echo: write error: Invalid exchange
harry@raspberrypi:~ $
Harry Morris (1):
ieee802154: ca8210: fix uninitialised data read
drivers/net/ieee802154/ca8210.c | 7 +++++++
1 file changed, 7 insertions(+)
--
2.11.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v2 1/1] ieee802154: ca8210: fix uninitialised data read
2018-03-28 10:54 [PATCH v2 0/1] ieee802154: ca8210: Fix potential security exploit harrymorris12
@ 2018-03-28 10:54 ` harrymorris12
2018-03-29 15:25 ` Stefan Schmidt
0 siblings, 1 reply; 3+ messages in thread
From: harrymorris12 @ 2018-03-28 10:54 UTC (permalink / raw)
To: linux-wpan; +Cc: stefan, aring, domen.puncer, Harry Morris
From: Harry Morris <h.morris@cascoda.com>
In ca8210_test_int_user_write() a user can request the transfer of a
frame with a length field (command.length) that is longer than the
actual buffer provided (len). In this scenario the driver will copy
the buffer contents into the uninitialised command[] buffer, then
transfer <data.length> bytes over the SPI even though only <len> bytes
had been populated, potentially leaking sensitive kernel memory.
Also the first 6 bytes of the command buffer must be initialised in case
a malformed, short packet is written and the uninitialised bytes are
read in ca8210_test_check_upstream.
Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com>
Signed-off-by: Harry Morris <h.morris@cascoda.com>
Tested-by: Harry Morris <h.morris@cascoda.com>
---
drivers/net/ieee802154/ca8210.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index 377af43b8..58299fb66 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -2493,13 +2493,14 @@ static ssize_t ca8210_test_int_user_write(
struct ca8210_priv *priv = filp->private_data;
u8 command[CA8210_SPI_BUF_SIZE];
- if (len > CA8210_SPI_BUF_SIZE) {
+ memset(command, SPI_IDLE, 6);
+ if (len > CA8210_SPI_BUF_SIZE || len < 2) {
dev_warn(
&priv->spi->dev,
- "userspace requested erroneously long write (%zu)\n",
+ "userspace requested erroneous write length (%zu)\n",
len
);
- return -EMSGSIZE;
+ return -EBADE;
}
ret = copy_from_user(command, in_buf, len);
@@ -2511,6 +2512,13 @@ static ssize_t ca8210_test_int_user_write(
);
return -EIO;
}
+ if (len != command[1] + 2) {
+ dev_err(
+ &priv->spi->dev,
+ "write len does not match packet length field\n"
+ );
+ return -EBADE;
+ }
ret = ca8210_test_check_upstream(command, priv->spi);
if (ret == 0) {
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2 1/1] ieee802154: ca8210: fix uninitialised data read
2018-03-28 10:54 ` [PATCH v2 1/1] ieee802154: ca8210: fix uninitialised data read harrymorris12
@ 2018-03-29 15:25 ` Stefan Schmidt
0 siblings, 0 replies; 3+ messages in thread
From: Stefan Schmidt @ 2018-03-29 15:25 UTC (permalink / raw)
To: harrymorris12, linux-wpan; +Cc: aring, domen.puncer, Harry Morris
Hello.
On 03/28/2018 12:54 PM, harrymorris12@gmail.com wrote:
> From: Harry Morris <h.morris@cascoda.com>
>
> In ca8210_test_int_user_write() a user can request the transfer of a
> frame with a length field (command.length) that is longer than the
> actual buffer provided (len). In this scenario the driver will copy
> the buffer contents into the uninitialised command[] buffer, then
> transfer <data.length> bytes over the SPI even though only <len> bytes
> had been populated, potentially leaking sensitive kernel memory.
>
> Also the first 6 bytes of the command buffer must be initialised in case
> a malformed, short packet is written and the uninitialised bytes are
> read in ca8210_test_check_upstream.
>
> Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com>
> Signed-off-by: Harry Morris <h.morris@cascoda.com>
> Tested-by: Harry Morris <h.morris@cascoda.com>
> ---
> drivers/net/ieee802154/ca8210.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
> index 377af43b8..58299fb66 100644
> --- a/drivers/net/ieee802154/ca8210.c
> +++ b/drivers/net/ieee802154/ca8210.c
> @@ -2493,13 +2493,14 @@ static ssize_t ca8210_test_int_user_write(
> struct ca8210_priv *priv = filp->private_data;
> u8 command[CA8210_SPI_BUF_SIZE];
>
> - if (len > CA8210_SPI_BUF_SIZE) {
> + memset(command, SPI_IDLE, 6);
> + if (len > CA8210_SPI_BUF_SIZE || len < 2) {
> dev_warn(
> &priv->spi->dev,
> - "userspace requested erroneously long write (%zu)\n",
> + "userspace requested erroneous write length (%zu)\n",
> len
> );
> - return -EMSGSIZE;
> + return -EBADE;
> }
>
> ret = copy_from_user(command, in_buf, len);
> @@ -2511,6 +2512,13 @@ static ssize_t ca8210_test_int_user_write(
> );
> return -EIO;
> }
> + if (len != command[1] + 2) {
> + dev_err(
> + &priv->spi->dev,
> + "write len does not match packet length field\n"
> + );
> + return -EBADE;
> + }
>
> ret = ca8210_test_check_upstream(command, priv->spi);
> if (ret == 0) {
This patch has been applied to the wpan-next tree and will be
part of the next pull request to net-next. Thanks!
regards
Stefan Schmidt
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-29 15:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-28 10:54 [PATCH v2 0/1] ieee802154: ca8210: Fix potential security exploit harrymorris12
2018-03-28 10:54 ` [PATCH v2 1/1] ieee802154: ca8210: fix uninitialised data read harrymorris12
2018-03-29 15:25 ` Stefan Schmidt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).