[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux kernel < 4.14.111 drivers/nfc/nfcmrvl/usb.c kernel address dumps to user space
From:       Fuqian Huang <huangfq.daxian () gmail ! com>
Date:       2019-04-18 13:34:15
Message-ID: CABXRUiTuu3diVge+pC=fdG3W+m444FmkeswHOoOS93twyqbbUg () mail ! gmail ! com
[Download RAW message or body]

In drivers/nfc/nfcmrvl/usb.c:164,
nfcmrvl_tx_complete will dump the address of urb to dmesg,
which allows local user to read kernel address via dmesg.

static void nfcmrvl_tx_complete(struct urb *urb)
{
    ...
    nfc_info(priv->dev, "urb %p status %d count %d\n",
         urb, urb->status, urb->actual_length);
    ...
}

In drivers/nfc/nfcmrvl/usb.c:308,
nfcmrvl_probe will dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.

static int nfcmrvl_probe(struct usb_interface *intf,
             const struct usb_device_id *id)
{
    ...
    nfc_info(&udev->dev, "intf %p id %p\n", intf, id);
    ...
}

In drivers/nfc/nfcmrvl/usb.c:368,
nfcmrvl_disconnect will dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.

static void nfcmrvl_disconnect(struct usb_interface *intf)
{
    ...
    nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
    ...
}

In drivers/nfc/nfcmrvl/usb.c:375,
nfcmrvl_suspendwill dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.

static int nfcmrvl_suspend(struct usb_interface *intf, pm_message_t message)
{
    ...
    nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
    ...
}


In drivers/nfc/nfcmrvl/usb.c:416,
nfcmrvl_resume dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.

static int nfcmrvl_resume(struct usb_interface *intf)
{
    ...
    nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
    ...
}
[prev in list] [next in list] [prev in thread] [next in thread]