From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 459CB39BFFA for ; Mon, 11 May 2026 12:41:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778503312; cv=none; b=lyfDmWerynWeUKiVM69Wsba4n1P2dhIdk5iZR5/kIacCpJitpNBwjYRqvt5MQgdbTKVFcHwFUN5D83o0/NtxtzX5CdCuwunueDemAM4wCzw6YNOFxQQ3gd1Bw5bxj6eC7I+xq6iyw1SuqgY5q38jt92KDy9RfuenKmxf1lPFBmM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778503312; c=relaxed/simple; bh=+qZYh7WR+ScKTDa+5gXvi01wqyGsVDFVH86LVwo1Vi0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ViAxd8BhJE9pwCrlZYrlhCDDYr4uEh9fey2/nJb3nxmWsFhIrmxWzjt7HAQD263e+oZ1sKa2IwvwAil1lz3Rqh+YhuwXQVErW9PukL/CeGhMVnojvstciC4U/HKJw2fXOknW6lomtpoeV11+gmD6iO6dyGhabK3QuxhKckdJP+Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Fp1PU3uA; arc=none smtp.client-ip=209.85.221.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Fp1PU3uA" Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-452169ae568so3260262f8f.3 for ; Mon, 11 May 2026 05:41:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778503310; x=1779108110; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=keb7XlVhDus/Aq9Wo25qkQ1a+272nuyuUKaQUlw/8i0=; b=Fp1PU3uAm/pa9FGyKmrS48htj6FvvRm1GDFO7/PZtIj9ETLzYXrsXVprJF7oA99ypy s/EZgWNT0+bwauK37X2AxoJosxULyWmtgtRVbDHUZRSCudrOfVLJWq5OEb/NInIHMn8D NicC51ro1O3vcd4Gc/fFplT/vxnDYnfpYJLQv5kCnx+IdQlzYrJM3acuyThIhmaH3gZc I3jwTv8g5nb7foorIA5/jzQ0Dy+dlvNiQKD8fmfYRl62JOUeMWZLPz8PWuAFMB4n2Igc bSRW25/6ddNAn8p8fBZ4t2I2WlO3VdUyMX/KIezyQ+4GTrKGD2MAYGWOi0kSD+WCmZ8P M9nA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778503310; x=1779108110; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=keb7XlVhDus/Aq9Wo25qkQ1a+272nuyuUKaQUlw/8i0=; b=qCpBSwBdS9stIEnOrwDRD+uGk2rPcTrUEktRPluPYnKino0MXgVbAWAuZLRo+odv0u FZ9omloGhB8HCecR5TAzJtk+x9itizran8EVHd8SIufBSTpsGb3fTHsJYFgMsSg4Fyrd JYBrUuO6xThY4yNwpV5ALKvIuln8eyu3guHNy7B2IQb30T5L8EoOhJrcjJ3uzfBOqzMv rSWqJomjJfWen3BDz7WFT53UOZjcjadCgZ9lLD9kDVnHj0mIZdgmseKyqXiUtNK9wYu2 ZTMPBt5s1r8d6R1Y3bd0Zg7MY9kkx0kQ3wJZ3ZXMjk4wdUMSUp+Q6n6urn+Lu0ToXgjo XAoQ== X-Forwarded-Encrypted: i=1; AFNElJ95LWHYJVy1CthL3JGFMT/44H6N+lYwQRdF7Hw8dcrMC1h2L10p6tJlobCA6UJ3FB4hTY5z3fSBRMmV5eM=@vger.kernel.org X-Gm-Message-State: AOJu0Yzz/5nRf0H7Wpro85b1hcb8DELimE46JAexoSDvYFMDBaOXB73q qx9uD5ttLMC2PrXw3PzSD0VfgmEkze7jwMHBTI6cbOra+71ympWmk8bw X-Gm-Gg: Acq92OGNbVQtNCFumyR8gg2awNptpzy4JIPB0wTWnzdrPEdbyoBKarTkPb9jxF56emN W18froK2jK2JhZ5/kYJJkGB/5Z9Yc/4Ww6eyC0zd+2UiXhv92ElVVTTxFK22gY2f324F6MCTArD c6YccCh1/DBf0ETEg+AVmIDjc3IqPs8ZoenJ1D1JBOo2WSLXWtVKNGdvSxhiVwMK1CHW2gqmeWD 1BIf6+t13Oi5gUWc+yEIXC/cofP1gnvTaA97NdcnmEFgsxSZLXmnMWHghBSk8efyJI4tjk57AFP X3E6taIryTL5i4LlLtf71jOl2JEmf9qLt3vFQznRV5vt3utu4XsAScVaKuxhxaQAP+YXfXFWrek 4HDCeWNUmEjVqXKlqP0OB6csK6SMliyPcRB6Xa4SMAuhdHoDZpXWwU8Rt4QKGihaOTzHi7lai+i Hkv5UWQy8lC/mhHqjhUCZuac9EygFOquKvI60frMiEYtM/fhmU+Do7M3mf0IIvJ2ItrK9l1sY6g tGTJrjcMU6M X-Received: by 2002:a5d:64e8:0:b0:43b:5672:efe with SMTP id ffacd0b85a97d-4515b056cf3mr39035174f8f.9.1778503309258; Mon, 11 May 2026 05:41:49 -0700 (PDT) Received: from node ([202.47.63.86]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4548ec6c221sm26056634f8f.13.2026.05.11.05.41.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 05:41:49 -0700 (PDT) From: Muhammad Bilal To: gregkh@linuxfoundation.org Cc: greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev, vireshk@kernel.org, johan@kernel.org, elder@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v1] greybus: authentication: validate CAP response payload size Date: Mon, 11 May 2026 08:41:30 -0400 Message-ID: <20260511124130.22092-1-meatuni001@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <2026051156-hamster-plating-7ae7@gregkh> References: <2026051156-hamster-plating-7ae7@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Mon, May 11, 2026 at 03:53:00AM +0000, Greg KH wrote: > Was this tested on any real greybus devices? No, I do not have access to real Greybus hardware. The issue was identified through code review of drivers/staging/greybus/authentication.c. The vulnerable paths are: 1. payload_size is used in a subtraction without first verifying payload_size >= sizeof(*response), which can underflow on short responses. 2. The resulting size is passed directly to memcpy() into fixed-size UAPI buffers without validating against CAP_CERTIFICATE_MAX_SIZE or CAP_SIGNATURE_MAX_SIZE. A malicious or compromised Greybus endpoint could therefore trigger an out-of-bounds write through an oversized payload. The fix adds the missing bounds checks before the memcpy() calls, which matches common kernel validation patterns. If testing on real hardware is required before merging, I am happy to wait. Thanks, Muhammad Bilal