From: Muhammad Bilal <meatuni001@gmail.com>
To: gregkh@linuxfoundation.org
Cc: greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev,
vireshk@kernel.org, johan@kernel.org, elder@kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] greybus: authentication: validate CAP response payload size
Date: Mon, 11 May 2026 08:41:30 -0400 [thread overview]
Message-ID: <20260511124130.22092-1-meatuni001@gmail.com> (raw)
In-Reply-To: <2026051156-hamster-plating-7ae7@gregkh>
On Mon, May 11, 2026 at 03:53:00AM +0000, Greg KH wrote:
> Was this tested on any real greybus devices?
No, I do not have access to real Greybus hardware. The issue was
identified through code review of drivers/staging/greybus/authentication.c.
The vulnerable paths are:
1. payload_size is used in a subtraction without first verifying
payload_size >= sizeof(*response), which can underflow on short
responses.
2. The resulting size is passed directly to memcpy() into fixed-size
UAPI buffers without validating against CAP_CERTIFICATE_MAX_SIZE
or CAP_SIGNATURE_MAX_SIZE.
A malicious or compromised Greybus endpoint could therefore trigger
an out-of-bounds write through an oversized payload.
The fix adds the missing bounds checks before the memcpy() calls,
which matches common kernel validation patterns.
If testing on real hardware is required before merging, I am happy
to wait.
Thanks,
Muhammad Bilal
prev parent reply other threads:[~2026-05-11 12:41 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 23:33 [PATCH v1] greybus: authentication: validate CAP response payload size Muhammad Bilal
2026-05-11 7:53 ` Greg KH
2026-05-11 12:35 ` 0nsec
2026-05-11 12:41 ` Muhammad Bilal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260511124130.22092-1-meatuni001@gmail.com \
--to=meatuni001@gmail.com \
--cc=elder@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=greybus-dev@lists.linaro.org \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=vireshk@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox