From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F3E0F222565 for ; Mon, 11 May 2026 12:38:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778503105; cv=none; b=uD05V/nL9QKx+rP0VbO0koHTq/kIC9ffJ2xe6XXPHHntVVbF6j4kdlNdrinkcKOcFqTdT3mM8ouMpITFbGl2FNSaPWiaJGhOmpDEGfGRPS3iF+GY1ipn4ZLEGCMG9lOwoGXoGehATLukmZLnc0kbmqg98t/4sSbaZD2TEUeLsCg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778503105; c=relaxed/simple; bh=+qZYh7WR+ScKTDa+5gXvi01wqyGsVDFVH86LVwo1Vi0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AmvzTgpyQ3LPNFeY0qkOzLZeI05b+SXj3mnSRj3zMIb36h4h+e86xsQaBNb3sAfEo6hX412sL/GgEsy/MBkGjHt90OUDWuoUoNQQO8BzgnR7180ui7zFqkiLXyANch6MnS2LdYZd/MEn9MO9+SVR4VjKGAMBJ5U4MnkBC0b2Knw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=bq0vFkjI; arc=none smtp.client-ip=209.85.216.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bq0vFkjI" Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-36622412e97so2630507a91.2 for ; Mon, 11 May 2026 05:38:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778503103; x=1779107903; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=keb7XlVhDus/Aq9Wo25qkQ1a+272nuyuUKaQUlw/8i0=; b=bq0vFkjIQDHAxWl/dKFPP9SwFvfFYXbWcInbPQdRrLyJAv6JXmtvJC3bZCWLg70t2p /3a7c2HgmXHcf1nYq4bFjRD1PvjSSUIL0+ajB+d/mhPhACTaeHXP9TxTkT/ukrkV72zd Y1AKF4jMU+t3hhf4jFmzWNnlH9A2pXU2kVqyjZz+EExcKpxzy3iOIqtOulSPcSiVafjd OGMxKt1VVJST6xUr/Mgf0CQ6bHwMYL/1Ng36a4efBx0QMkyAAxRkK/b6NmNx9CEutibK uvuijR6YwTW+76lrpTnZlfCYRqAWEe1hzz+WqO58N65sOdPYe5g7M+XxGVqTDu3VIs9R oPFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778503103; x=1779107903; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=keb7XlVhDus/Aq9Wo25qkQ1a+272nuyuUKaQUlw/8i0=; b=aufYg/BZ1t2BfdlhJ8Z6tTTK0MZSjC5wMYyZzHliohlEzmYye8o54OcxZeGGG8SCUg HWl04kqFmGt8sSmfm8agzL6LFTbog5eBvTU+ndXp4thPYPGP8yHpBuCQxS+Gs6CWiiuA V0Og1o8rslJAK0pzeN3O3d8AJkMvZJ4FeCfts9SvOp7J5V40eOPuMEGZgCYY1ZdJGjyV CGwf9M/GJ4Yp55n1TniTFGgZpNqPfRx6lmUqtzv1zjjmPfLIVzxQ5HcKPTAgWUf9ZUNt b/xlrhPLSELLyGG3f34XWgiJXYlc8A7Va96dPs4u3AydwmueEKONLt7q3UEOFVyIPneG yYOw== X-Forwarded-Encrypted: i=1; AFNElJ9yhCYP656OpQG2s2Lihh8Czo42yQcO4k3vll27z7T1WW7cWE9Ri2xl/NXoQ9ECWU4wlPVIgvi4jdIqpGU=@vger.kernel.org X-Gm-Message-State: AOJu0YzkhMDxRvYpE7zcMFFMewc58tDDV5MMQDKoXBF0btxc8tLW9shL Qifrq4vKyx7m64ronYMfRHjEoBKvc1jszAemTgNf6+t41MG7ciXmXFdq X-Gm-Gg: Acq92OEPNCXAi30guUNzxvzk416BzyVd7aHl6MJhQwIHyqrzXVDxX+dRQ7r2Ab59bPO 0QwZJYF1Hb6jKMR6imNptBCXsqMre1+m5EE84gk05GHu250n7ZZBmbp5rd31wfa/U3ihKTYheOV irYEHnIcnbnTriRLXklbyiRwv/Z/1VWwtGpQNcoTcbKL+sQW7Ezpl8RoSAB6QcIgvV4mhwtnriZ 5UREAFzdjDffHJQ+iNZUsnuTeHRvCpXrW7b6qlE0w8IKUfCVzYgtbBva0XaPlYHnMXIHY5FLb4b F1O0uVYp3d8w30v5vbcAh6x8KWge2kfk9ZqYzLSZ+23uEKDtNbl7H7pzn/3bK99z4NvF0O15WMI cQDXZKD+1DQiDH06NdYz1655iUsq13OXJlCm/qzev5JQQxtJddu4JnnbsCZheIrq6kRbzI9Zkhk R8wEsKSsXQnNMhlabB5w7SpqqRn1gBb2nTTf5G50QfSWQKAZpRuviK/036puvl7o8WZ6w= X-Received: by 2002:a17:90b:54cb:b0:366:5c38:fd61 with SMTP id 98e67ed59e1d1-367d46cf57bmr9784714a91.12.1778503103344; Mon, 11 May 2026 05:38:23 -0700 (PDT) Received: from node ([202.47.63.86]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-367d683fa7asm9444037a91.10.2026.05.11.05.38.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 05:38:22 -0700 (PDT) From: 0nsec X-Google-Original-From: 0nsec <0nsec@proton.me> To: gregkh@linuxfoundation.org Cc: greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev, vireshk@kernel.org, johan@kernel.org, elder@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v1] greybus: authentication: validate CAP response payload size Date: Mon, 11 May 2026 08:35:41 -0400 Message-ID: <20260511123541.21668-1-0nsec@proton.me> X-Mailer: git-send-email 2.54.0 In-Reply-To: <2026051156-hamster-plating-7ae7@gregkh> References: <2026051156-hamster-plating-7ae7@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Mon, May 11, 2026 at 03:53:00AM +0000, Greg KH wrote: > Was this tested on any real greybus devices? No, I do not have access to real Greybus hardware. The issue was identified through code review of drivers/staging/greybus/authentication.c. The vulnerable paths are: 1. payload_size is used in a subtraction without first verifying payload_size >= sizeof(*response), which can underflow on short responses. 2. The resulting size is passed directly to memcpy() into fixed-size UAPI buffers without validating against CAP_CERTIFICATE_MAX_SIZE or CAP_SIGNATURE_MAX_SIZE. A malicious or compromised Greybus endpoint could therefore trigger an out-of-bounds write through an oversized payload. The fix adds the missing bounds checks before the memcpy() calls, which matches common kernel validation patterns. If testing on real hardware is required before merging, I am happy to wait. Thanks, Muhammad Bilal