[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Linux kernel < 4.14.111 drivers/nfc/nfcmrvl/usb.c kernel address dumps to user space
From: Fuqian Huang <huangfq.daxian () gmail ! com>
Date: 2019-04-18 13:34:15
Message-ID: CABXRUiTuu3diVge+pC=fdG3W+m444FmkeswHOoOS93twyqbbUg () mail ! gmail ! com
[Download RAW message or body]
In drivers/nfc/nfcmrvl/usb.c:164,
nfcmrvl_tx_complete will dump the address of urb to dmesg,
which allows local user to read kernel address via dmesg.
static void nfcmrvl_tx_complete(struct urb *urb)
{
...
nfc_info(priv->dev, "urb %p status %d count %d\n",
urb, urb->status, urb->actual_length);
...
}
In drivers/nfc/nfcmrvl/usb.c:308,
nfcmrvl_probe will dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.
static int nfcmrvl_probe(struct usb_interface *intf,
const struct usb_device_id *id)
{
...
nfc_info(&udev->dev, "intf %p id %p\n", intf, id);
...
}
In drivers/nfc/nfcmrvl/usb.c:368,
nfcmrvl_disconnect will dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.
static void nfcmrvl_disconnect(struct usb_interface *intf)
{
...
nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
...
}
In drivers/nfc/nfcmrvl/usb.c:375,
nfcmrvl_suspendwill dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.
static int nfcmrvl_suspend(struct usb_interface *intf, pm_message_t message)
{
...
nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
...
}
In drivers/nfc/nfcmrvl/usb.c:416,
nfcmrvl_resume dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.
static int nfcmrvl_resume(struct usb_interface *intf)
{
...
nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
...
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic