Future of Ozwpan Driver - Maintainer? [Was: Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities]

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: linux-kernel@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	devel@driverdev.osuosl.org,
	Shigekatsu Tateno <shigekatsu.tateno@atmel.com>,
	rupesh.gujare@atmel.com
Subject: Future of Ozwpan Driver - Maintainer? [Was: Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities]
Date: Mon, 1 Jun 2015 15:34:57 +0200	[thread overview]
Message-ID: <CAHmME9pW4PHZ++wwwHMyfvJNkbWeRa9Mqn6G1YHWScFgUNyVQA@mail.gmail.com> (raw)

Hi all,

With four security critical bug patches having finally been put in
Greg's for-linus branch [1][2][3][4], I'd like to turn attention back
at the bigger issue. Where is the maintainer of this driver during
these discussions? The MAINTAINERS file lists Shigekatsu Tateno, and
in a commit [5] from May of last year, Rupesh Gujare turned over
maintenance to him.

I ask because I also noted another important vulnerability in my
original patch series cover letter, with the hope that the actual
maintainer would take care of patching this, as it is likely a little
bit nuanced:

On Wed, May 13, 2015 at 8:33 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> On a slightly related note, there are several other vulnerabilities in
> this driver that are worth looking into. When ozwpan receives a packet,
> it casts the packet into a variety of different structs, based on the
> value of type and length parameters inside the packet. When making these
> casts, and when reading bytes based on this length parameter, the actual
> length of the packet in the socket buffer is never actually consulted. As
> such, it's very likely that a packet could be sent that results in the
> kernel reading memory in adjacent buffers, resulting in an information
> leak, or from unpaged addresses, resulting in a crash. In the former case,
> it may be possible with certain message types to actually send these
> leaked adjacent bytes back to the sender of the packet. So, I'd highly
> recommend the maintainers of this driver go branch-by-branch from the
> initial rx function, adding checks to ensure all reads and casts are
> within the bounds of the socket buffer.

It seems a bit odd to not receive any review from the actual
maintainer, and seeing that there is still a pending security issue
that hasn't been addressed, I wonder if we should revisit what Dan
suggested last week:

On Thu, May 28, 2015 at 1:04 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> Maybe we should just delete these ozwpan drivers entirely...  They were
> merged when Ozmodevices was its own company and I don't think anyone is
> working on them any more.

I know for a fact that the drivers *are* in use places, though not
necessarily with the upstream codebase. Also, it was more or less
exactly a year ago when Atmel appointed the new maintainer, which
makes me hope that somebody there still cares about them. But I'm not
sure exactly.

What's the best way to proceed? Is anybody in a position to reach out
and nudge the maintainer? Or is it just the case that Atmel's vacation
policy is awesome, and he's just been hanging out on the beach, and
I'm jumping the gun with this email?

Thanks,
Jason

[1] https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=d114b9fe78c8d6fc6e70808c2092aa307c36dc8e
[2] https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c
[3] https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=04bf464a5dfd9ade0dda918e44366c2c61fce80b
[4] https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/?id=9a59029bc218b48eff8b5d4dde5662fd79d3e1a8
[5] https://git.kernel.org/cgit/linux/kernel/git/gregkh/staging.git/commit/drivers/staging/ozwpan?h=staging-linus&id=96747a8f4e7d187f236ad392d86a37a4d1ba0b32