Re: [PATCH] misc: nsm: bound the device-reported response length

Next message: Greg KH: "Re: [PATCH 6.6.y] Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync"
Previous message: syzbot: "Forwarded: Re: [syzbot] [usb?] WARNING in dib0700_ctrl_rd/usb_submit_urb"
In reply to: Bryam Vargas via B4 Relay: "[PATCH] misc: nsm: bound the device-reported response length"
Next in thread: Graf (AWS), Alexander: "Re: [PATCH] misc: nsm: bound the device-reported response length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Sun Jun 21 2026 - 01:37:57 EST

On Sat, Jun 20, 2026 at 09:42:11PM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
>
> nsm_sendrecv_msg_locked() stores the virtqueue used-ring length reported
> by the NSM device into msg->resp.len without bounding it to the response
> buffer. A malicious or buggy backend can report a length larger than the
> response buffer; parse_resp_raw() then copies that many bytes out of the
> fixed buffer to user space, disclosing adjacent kernel heap (an
> out-of-bounds read). The request path already floors its length in
> fill_req_raw(); the response path lacks the symmetric check.
>
> Clamp the stored length to the size of the response buffer. Well-behaved
> devices report no more than the posted buffer size, so conforming traffic
> is unaffected.

Is this really the only place where a "buggy" device that is bound to
the driver can cause any problems? Shouldn't the driver only be bound
to trusted devices to start with?

thanks,

greg k-h