review.tizen.org Git - platform/kernel/linux-amlogic.git/commit

author	Jiamin Ma <jiamin.ma@amlogic.com>
	Tue, 18 Jun 2019 06:00:43 +0000 (14:00 +0800)
committer	Tao Zeng <tao.zeng@amlogic.com>
	Fri, 28 Jun 2019 06:00:22 +0000 (23:00 -0700)
commit	594e7bb8d79527ee522a2075f842a6d121af33fb
tree	64ff7f7825ffae631baafba3615e8b45033bc0ed	tree \| snapshot
parent	7c279ca18ac1a44147647ef668d6115821886594	commit \| diff

efuse: fix potential memory info leakage issue [1/1]

PD#OTT-4656

Problem:
When handling the set attribute IOCTL EFUSE_INFO_GET the driver
makes a call to efuse_getinfo(line 177) passing it a potentially
non-null terminated string. efuse_getinfo() function then uses
this potentially non-null terminated string in strcmp (line 99).
the method efuse_getinfo does not cater to non-null terminated
strings and thus can likely be made to overrun the "item" string
beyond any printable ascii data.
Further more, if attackers can control the item value well enough,
the function efuse_getinfo can be used to potentially disclose
values in kernel memory i.e. by checking the results of lots of
strcmp calls on items values, essentially acting as an oracle for
memory values surrounding the efusekey_info[n].keyname variable in
stack memory.

Solution:
force a null terminator for the keyname argument before comparing
it to kernel memory

Verify:
U200

Change-Id: I851dd7045d0a9e7855e9899c4745eac475cb9233
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>

drivers/amlogic/efuse/efuse.c		diff \| blob \| history
drivers/amlogic/efuse/efuse64.c		diff \| blob \| history