From d58f336aaff9805ecd6cfd514bf1c644104e4c92 Mon Sep 17 00:00:00 2001 From: Jiamin Ma Date: Tue, 18 Jun 2019 14:00:43 +0800 Subject: [PATCH] efuse: fix potential memory info leakage issue [1/1] PD#OTT-4656 Problem: When handling the set attribute IOCTL EFUSE_INFO_GET the driver makes a call to efuse_getinfo(line 177) passing it a potentially non-null terminated string. efuse_getinfo() function then uses this potentially non-null terminated string in strcmp (line 99). the method efuse_getinfo does not cater to non-null terminated strings and thus can likely be made to overrun the "item" string beyond any printable ascii data. Further more, if attackers can control the item value well enough, the function efuse_getinfo can be used to potentially disclose values in kernel memory i.e. by checking the results of lots of strcmp calls on items values, essentially acting as an oracle for memory values surrounding the efusekey_info[n].keyname variable in stack memory. Solution: force a null terminator for the keyname argument before comparing it to kernel memory Verify: U200 Change-Id: I851dd7045d0a9e7855e9899c4745eac475cb9233 Signed-off-by: Jiamin Ma --- drivers/amlogic/efuse/efuse.c | 1 + drivers/amlogic/efuse/efuse64.c | 1 + 2 files changed, 2 insertions(+) diff --git a/drivers/amlogic/efuse/efuse.c b/drivers/amlogic/efuse/efuse.c index 55b4e4ca635b..285ad23ffaac 100644 --- a/drivers/amlogic/efuse/efuse.c +++ b/drivers/amlogic/efuse/efuse.c @@ -114,6 +114,7 @@ static long efuse_unlocked_ioctl(struct file *file, unsigned int cmd, __func__, __LINE__); return ret; } + info.title[sizeof(info.title) - 1] = '\0'; if (efuse_getinfo_byTitle(info.title, &info) < 0) return -EFAULT; diff --git a/drivers/amlogic/efuse/efuse64.c b/drivers/amlogic/efuse/efuse64.c index ec6837d95e1c..9370d2d9d6c4 100644 --- a/drivers/amlogic/efuse/efuse64.c +++ b/drivers/amlogic/efuse/efuse64.c @@ -249,6 +249,7 @@ static long efuse_unlocked_ioctl(struct file *file, unsigned int cmd, __func__, __LINE__); return ret; } + info.keyname[sizeof(info.keyname) - 1] = '\0'; if (efuse_getinfo(info.keyname, &info) < 0) { pr_err("%s if not found\n", info.keyname); return -EFAULT;