[greybus-dev] Re: [PATCH v1] greybus: authentication: validate CAP response payload size

11 May 2026

      On Mon, May 04, 2026 at 07:33:28PM -0400, Muhammad Bilal wrote:
...
cap_get_ims_certificate() and cap_authenticate() copy variable-length
response data directly into fixed-size UAPI buffers using the
untrusted op->response->payload_size value without any bounds checks.
A malicious or compromised Greybus endpoint can return an oversized
certificate or signature payload, causing a kernel heap overflow.
Fix both functions by:

Rejecting responses shorter than sizeof(*response) with -EPROTO.
Rejecting payloads exceeding CAP_CERTIFICATE_MAX_SIZE (1600) or
CAP_SIGNATURE_MAX_SIZE (320) with -EMSGSIZE.
Copying only the validated size into the UAPI buffer.

Fixes: e3eda54d0b5f ("greybus: Add Component Authentication Protocol support")
Signed-off-by: Muhammad Bilal meatuni001@gmail.com

drivers/staging/greybus/authentication.c | 34 +++++++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)
Was this tested on any real greybus devices?
thanks,
greg k-h

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

[greybus-dev] Re: [PATCH v1] greybus: authentication: validate CAP response payload size