[PATCH] staging: greybus: fix size_t underflow in cap_get_ims

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] staging: greybus: fix size_t underflow in cap_get_ims_certificate()
@ 2026-04-04 23:22 Delene Tchio Romuald
  2026-04-05  8:00 ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Delene Tchio Romuald @ 2026-04-04 23:22 UTC (permalink / raw)
  To: gregkh; +Cc: linux-staging, linux-kernel, Delene Tchio Romuald, stable

In cap_get_ims_certificate(), the certificate size is computed as:

  *size = op->response->payload_size - sizeof(*response);

Both operands are size_t (unsigned), so if a malformed Greybus module
sends a response with payload_size smaller than sizeof(*response),
the subtraction wraps to a very large value. The subsequent memcpy()
then causes a heap buffer overflow.

Add a payload size validation before the subtraction to ensure the
response is large enough to contain the fixed-size response header.

Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
 drivers/staging/greybus/authentication.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/greybus/authentication.c b/drivers/staging/greybus/authentication.c
index 97b9937bb..1c14ad184 100644
--- a/drivers/staging/greybus/authentication.c
+++ b/drivers/staging/greybus/authentication.c
@@ -132,6 +132,12 @@ static int cap_get_ims_certificate(struct gb_cap *cap, u32 class, u32 id,
 
 	response = op->response->payload;
 	*result = response->result_code;
+
+	if (op->response->payload_size < sizeof(*response)) {
+		ret = -EINVAL;
+		goto done;
+	}
+
 	*size = op->response->payload_size - sizeof(*response);
 	memcpy(certificate, response->certificate, *size);
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] staging: greybus: fix size_t underflow in cap_get_ims_certificate()
  2026-04-04 23:22 [PATCH] staging: greybus: fix size_t underflow in cap_get_ims_certificate() Delene Tchio Romuald
@ 2026-04-05  8:00 ` Greg KH
  0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2026-04-05  8:00 UTC (permalink / raw)
  To: Delene Tchio Romuald; +Cc: linux-staging, linux-kernel, stable

On Sun, Apr 05, 2026 at 12:22:42AM +0100, Delene Tchio Romuald wrote:
> In cap_get_ims_certificate(), the certificate size is computed as:
> 
>   *size = op->response->payload_size - sizeof(*response);
> 
> Both operands are size_t (unsigned), so if a malformed Greybus module
> sends a response with payload_size smaller than sizeof(*response),
> the subtraction wraps to a very large value. The subsequent memcpy()
> then causes a heap buffer overflow.

How can you have a "malformed greybus module"?

Please fix your ai tool's threat model to be realistic :)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-05  8:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-04 23:22 [PATCH] staging: greybus: fix size_t underflow in cap_get_ims_certificate() Delene Tchio Romuald
2026-04-05  8:00 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox