[PATCH] staging: greybus: fix size_t underflow in cap_get_ims_certificate()

Next message: Thorsten Blum: "[PATCH] parport: replace kmalloc + strcpy with kstrdup in parse_data"
Previous message: Ethan Tidmore: "Re: [PATCH] staging: rtl8723bs: remove redundant return in report_join_res()"
Next in thread: Greg KH: "Re: [PATCH] staging: greybus: fix size_t underflow in cap_get_ims_certificate()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Delene Tchio Romuald

Date: Sat Apr 04 2026 - 19:23:43 EST

In cap_get_ims_certificate(), the certificate size is computed as:

*size = op->response->payload_size - sizeof(*response);

Both operands are size_t (unsigned), so if a malformed Greybus module
sends a response with payload_size smaller than sizeof(*response),
the subtraction wraps to a very large value. The subsequent memcpy()
then causes a heap buffer overflow.

Add a payload size validation before the subtraction to ensure the
response is large enough to contain the fixed-size response header.

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Delene Tchio Romuald <delenetchior1@xxxxxxxxx>
---
drivers/staging/greybus/authentication.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/staging/greybus/authentication.c b/drivers/staging/greybus/authentication.c
index 97b9937bb..1c14ad184 100644
--- a/drivers/staging/greybus/authentication.c
+++ b/drivers/staging/greybus/authentication.c
@@ -132,6 +132,12 @@ static int cap_get_ims_certificate(struct gb_cap *cap, u32 class, u32 id,

response = op->response->payload;
*result = response->result_code;
+
+ if (op->response->payload_size < sizeof(*response)) {
+ ret = -EINVAL;
+ goto done;
+ }
+
*size = op->response->payload_size - sizeof(*response);
memcpy(certificate, response->certificate, *size);

--
2.43.0