Re: [PATCH v1] greybus: authentication: validate CAP response payload size

Next message: vipoll: "[PATCH] usb: typec: fsa4480: Add chip id read retry loop"
Previous message: Stepan Ionichev: "[PATCH] iio: adc: ad7793: replace usleep_range() with fsleep()"
In reply to: 0nsec: "Re: [PATCH v1] greybus: authentication: validate CAP response payload size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Muhammad Bilal

Date: Mon May 11 2026 - 08:46:45 EST

On Mon, May 11, 2026 at 03:53:00AM +0000, Greg KH wrote:
> Was this tested on any real greybus devices?

No, I do not have access to real Greybus hardware. The issue was
identified through code review of drivers/staging/greybus/authentication.c.

The vulnerable paths are:

1. payload_size is used in a subtraction without first verifying
payload_size >= sizeof(*response), which can underflow on short
responses.

2. The resulting size is passed directly to memcpy() into fixed-size
UAPI buffers without validating against CAP_CERTIFICATE_MAX_SIZE
or CAP_SIGNATURE_MAX_SIZE.

A malicious or compromised Greybus endpoint could therefore trigger
an out-of-bounds write through an oversized payload.

The fix adds the missing bounds checks before the memcpy() calls,
which matches common kernel validation patterns.

If testing on real hardware is required before merging, I am happy
to wait.

Thanks,
Muhammad Bilal