[PATCH v1] greybus: authentication: validate CAP response payload size

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Muhammad Bilal <meatuni001@gmail.com>
To: greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev
Cc: vireshk@kernel.org, johan@kernel.org, elder@kernel.org,
	gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
	Muhammad Bilal <meatuni001@gmail.com>
Subject: [PATCH v1] greybus: authentication: validate CAP response payload size
Date: Mon,  4 May 2026 19:33:28 -0400	[thread overview]
Message-ID: <20260504233328.7409-1-meatuni001@gmail.com> (raw)

cap_get_ims_certificate() and cap_authenticate() copy variable-length
response data directly into fixed-size UAPI buffers using the
untrusted op->response->payload_size value without any bounds checks.

A malicious or compromised Greybus endpoint can return an oversized
certificate or signature payload, causing a kernel heap overflow.

Fix both functions by:
  - Rejecting responses shorter than sizeof(*response) with -EPROTO.
  - Rejecting payloads exceeding CAP_CERTIFICATE_MAX_SIZE (1600) or
    CAP_SIGNATURE_MAX_SIZE (320) with -EMSGSIZE.
  - Copying only the validated size into the UAPI buffer.

Fixes: e3eda54d0b5f ("greybus: Add Component Authentication Protocol support")
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
 drivers/staging/greybus/authentication.c | 34 +++++++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/greybus/authentication.c b/drivers/staging/greybus/authentication.c
index 97b9937bb..103cc15d2 100644
--- a/drivers/staging/greybus/authentication.c
+++ b/drivers/staging/greybus/authentication.c
@@ -109,6 +109,7 @@ static int cap_get_ims_certificate(struct gb_cap *cap, u32 class, u32 id,
 	struct gb_cap_get_ims_certificate_request *request;
 	struct gb_cap_get_ims_certificate_response *response;
 	size_t max_size = gb_operation_get_payload_size_max(connection);
+	size_t cert_size;
 	struct gb_operation *op;
 	int ret;
 
@@ -131,9 +132,21 @@ static int cap_get_ims_certificate(struct gb_cap *cap, u32 class, u32 id,
 	}
 
 	response = op->response->payload;
+
+	if (op->response->payload_size < sizeof(*response)) {
+		ret = -EPROTO;
+		goto done;
+	}
+
+	cert_size = op->response->payload_size - sizeof(*response);
+	if (cert_size > CAP_CERTIFICATE_MAX_SIZE) {
+		ret = -EMSGSIZE;
+		goto done;
+	}
+
 	*result = response->result_code;
-	*size = op->response->payload_size - sizeof(*response);
-	memcpy(certificate, response->certificate, *size);
+	*size = (u32)cert_size;
+	memcpy(certificate, response->certificate, cert_size);
 
 done:
 	gb_operation_put(op);
@@ -148,6 +161,7 @@ static int cap_authenticate(struct gb_cap *cap, u32 auth_type, u8 *uid,
 	struct gb_cap_authenticate_request *request;
 	struct gb_cap_authenticate_response *response;
 	size_t max_size = gb_operation_get_payload_size_max(connection);
+	size_t sig_size;
 	struct gb_operation *op;
 	int ret;
 
@@ -170,10 +184,22 @@ static int cap_authenticate(struct gb_cap *cap, u32 auth_type, u8 *uid,
 	}
 
 	response = op->response->payload;
+
+	if (op->response->payload_size < sizeof(*response)) {
+		ret = -EPROTO;
+		goto done;
+	}
+
+	sig_size = op->response->payload_size - sizeof(*response);
+	if (sig_size > CAP_SIGNATURE_MAX_SIZE) {
+		ret = -EMSGSIZE;
+		goto done;
+	}
+
 	*result = response->result_code;
-	*signature_size = op->response->payload_size - sizeof(*response);
+	*signature_size = (u32)sig_size;
 	memcpy(auth_response, response->response, sizeof(response->response));
-	memcpy(signature, response->signature, *signature_size);
+	memcpy(signature, response->signature, sig_size);
 
 done:
 	gb_operation_put(op);
-- 
2.54.0

next             reply	other threads:[~2026-05-04 23:35 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-04 23:33 Muhammad Bilal [this message]
2026-05-11  7:53 ` [PATCH v1] greybus: authentication: validate CAP response payload size Greg KH
2026-05-11 12:35   ` 0nsec
2026-05-11 12:41   ` Muhammad Bilal

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:97b9937b dfblob:103cc15d )
 OR (
bs:"[PATCH v1] greybus: authentication: validate CAP response payload size" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260504233328.7409-1-meatuni001@gmail.com \
    --to=meatuni001@gmail.com \
    --cc=elder@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=greybus-dev@lists.linaro.org \
    --cc=johan@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-staging@lists.linux.dev \
    --cc=vireshk@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.