[PATCH] misc: nsm: bound the device-reported response length

Next message: Bryam Vargas via B4 Relay: "[PATCH] drm/virtio: bound EDID block reads to the response buffer"
Previous message: syzbot: "Forwarded: [PATCH] udf: avoid recursive s_alloc_mutex deadlock when freeing AED blocks"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] misc: nsm: bound the device-reported response length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bryam Vargas via B4 Relay

Date: Sat Jun 20 2026 - 22:42:20 EST

From: Bryam Vargas <hexlabsecurity@xxxxxxxxx>

nsm_sendrecv_msg_locked() stores the virtqueue used-ring length reported
by the NSM device into msg->resp.len without bounding it to the response
buffer. A malicious or buggy backend can report a length larger than the
response buffer; parse_resp_raw() then copies that many bytes out of the
fixed buffer to user space, disclosing adjacent kernel heap (an
out-of-bounds read). The request path already floors its length in
fill_req_raw(); the response path lacks the symmetric check.

Clamp the stored length to the size of the response buffer. Well-behaved
devices report no more than the posted buffer size, so conforming traffic
is unaffected.

Fixes: b9873755a6c8 ("misc: Add Nitro Secure Module driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Bryam Vargas <hexlabsecurity@xxxxxxxxx>
---
drivers/misc/nsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/misc/nsm.c b/drivers/misc/nsm.c
index ef7b32742340..f759fbba049a 100644
--- a/drivers/misc/nsm.c
+++ b/drivers/misc/nsm.c
@@ -243,7 +243,7 @@ static int nsm_sendrecv_msg_locked(struct nsm *nsm)
goto cleanup;
}

- msg->resp.len = len;
+ msg->resp.len = min_t(unsigned int, len, sizeof(msg->resp.data));

rc = 0;

---
base-commit: 1a3746ccbb0a97bed3c06ccde6b880013b1dddc1
change-id: 20260620-b4-disp-a54b7dd6-4cbda73d614b

Best regards,
--
Bryam Vargas <hexlabsecurity@xxxxxxxxx>