From 594e7bb8d79527ee522a2075f842a6d121af33fb Mon Sep 17 00:00:00 2001 From: Jiamin Ma Date: Tue, 18 Jun 2019 14:00:43 +0800 Subject: [PATCH] efuse: fix potential memory info leakage issue [1/1] PD#OTT-4656 Problem: When handling the set attribute IOCTL EFUSE_INFO_GET the driver makes a call to efuse_getinfo(line 177) passing it a potentially non-null terminated string. efuse_getinfo() function then uses this potentially non-null terminated string in strcmp (line 99). the method efuse_getinfo does not cater to non-null terminated strings and thus can likely be made to overrun the "item" string beyond any printable ascii data. Further more, if attackers can control the item value well enough, the function efuse_getinfo can be used to potentially disclose values in kernel memory i.e. by checking the results of lots of strcmp calls on items values, essentially acting as an oracle for memory values surrounding the efusekey_info[n].keyname variable in stack memory. Solution: force a null terminator for the keyname argument before comparing it to kernel memory Verify: U200 Change-Id: I851dd7045d0a9e7855e9899c4745eac475cb9233 Signed-off-by: Jiamin Ma --- drivers/amlogic/efuse/efuse.c | 1 + drivers/amlogic/efuse/efuse64.c | 1 + 2 files changed, 2 insertions(+) diff --git a/drivers/amlogic/efuse/efuse.c b/drivers/amlogic/efuse/efuse.c index 55b4e4c..285ad23 100644 --- a/drivers/amlogic/efuse/efuse.c +++ b/drivers/amlogic/efuse/efuse.c @@ -114,6 +114,7 @@ static long efuse_unlocked_ioctl(struct file *file, unsigned int cmd, __func__, __LINE__); return ret; } + info.title[sizeof(info.title) - 1] = '\0'; if (efuse_getinfo_byTitle(info.title, &info) < 0) return -EFAULT; diff --git a/drivers/amlogic/efuse/efuse64.c b/drivers/amlogic/efuse/efuse64.c index 2b913a4..ea1e48b 100644 --- a/drivers/amlogic/efuse/efuse64.c +++ b/drivers/amlogic/efuse/efuse64.c @@ -174,6 +174,7 @@ static long efuse_unlocked_ioctl(struct file *file, unsigned int cmd, __func__, __LINE__); return ret; } + info.keyname[sizeof(info.keyname) - 1] = '\0'; if (efuse_getinfo(info.keyname, &info) < 0) { pr_err("%s if not found\n", info.keyname); return -EFAULT; -- 2.7.4