Re: [PATCH v1] greybus: authentication: validate CAP response payload size

Next message: Sudeep Holla: "Re: [PATCH v4 00/15] SCMI Clock rates discovery rework"
Previous message: Gautam Menghani: "[PATCH] powerpc/64s: Fix the vector number in comments for h_facility_unavailable"
Next in thread: 0nsec: "Re: [PATCH v1] greybus: authentication: validate CAP response payload size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Mon May 11 2026 - 04:11:25 EST

On Mon, May 04, 2026 at 07:33:28PM -0400, Muhammad Bilal wrote:
> cap_get_ims_certificate() and cap_authenticate() copy variable-length
> response data directly into fixed-size UAPI buffers using the
> untrusted op->response->payload_size value without any bounds checks.
>
> A malicious or compromised Greybus endpoint can return an oversized
> certificate or signature payload, causing a kernel heap overflow.
>
> Fix both functions by:
> - Rejecting responses shorter than sizeof(*response) with -EPROTO.
> - Rejecting payloads exceeding CAP_CERTIFICATE_MAX_SIZE (1600) or
> CAP_SIGNATURE_MAX_SIZE (320) with -EMSGSIZE.
> - Copying only the validated size into the UAPI buffer.
>
> Fixes: e3eda54d0b5f ("greybus: Add Component Authentication Protocol support")
> Signed-off-by: Muhammad Bilal <meatuni001@xxxxxxxxx>
> ---
> drivers/staging/greybus/authentication.c | 34 +++++++++++++++++++++---
> 1 file changed, 30 insertions(+), 4 deletions(-)

Was this tested on any real greybus devices?

thanks,

greg k-h