From: Harry Morris <h.morris@xxxxxxxxxxx>
In ca8210_test_int_user_write() a user can request the transfer of a
frame with a length field (command.length) that is longer than the
actual buffer provided (len). In this scenario the driver will copy
the buffer contents into the uninitialised command[] buffer, then
transfer <data.length> bytes over the SPI even though only <len> bytes
had been populated, potentially leaking sensitive kernel memory.
Reported-by: Domen Puncer Kugler <domen.puncer@xxxxxxxxxxx>
Signed-off-by: Harry Morris <h.morris@xxxxxxxxxxx>
Tested-by: Harry Morris <h.morris@xxxxxxxxxxx>
---
drivers/net/ieee802154/ca8210.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index 377af43b8..06cac8d3f 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -2511,6 +2511,13 @@ static ssize_t ca8210_test_int_user_write(
);
return -EIO;
}
+ if (len != command[1] + 2) {
+ dev_err(
+ &priv->spi->dev,
+ "write len does not match packet length field\n"
+ );
+ return -EMSGSIZE;
+ }
ret = ca8210_test_check_upstream(command, priv->spi);
if (ret == 0) {
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe linux-wpan" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
