oss-sec mailing list archives

Linux kernel < 4.14.111 drivers/nfc/nfcmrvl/usb.c kernel address dumps to user space


From: Fuqian Huang <huangfq.daxian () gmail com>
Date: Thu, 18 Apr 2019 21:34:15 +0800

In drivers/nfc/nfcmrvl/usb.c:164,
nfcmrvl_tx_complete will dump the address of urb to dmesg,
which allows local user to read kernel address via dmesg.

static void nfcmrvl_tx_complete(struct urb *urb)
{
    ...
    nfc_info(priv->dev, "urb %p status %d count %d\n",
         urb, urb->status, urb->actual_length);
    ...
}

In drivers/nfc/nfcmrvl/usb.c:308,
nfcmrvl_probe will dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.

static int nfcmrvl_probe(struct usb_interface *intf,
             const struct usb_device_id *id)
{
    ...
    nfc_info(&udev->dev, "intf %p id %p\n", intf, id);
    ...
}

In drivers/nfc/nfcmrvl/usb.c:368,
nfcmrvl_disconnect will dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.

static void nfcmrvl_disconnect(struct usb_interface *intf)
{
    ...
    nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
    ...
}

In drivers/nfc/nfcmrvl/usb.c:375,
nfcmrvl_suspendwill dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.

static int nfcmrvl_suspend(struct usb_interface *intf, pm_message_t message)
{
    ...
    nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
    ...
}


In drivers/nfc/nfcmrvl/usb.c:416,
nfcmrvl_resume dump the address of inf to dmesg,
which allows local user to read kernel address via dmesg.

static int nfcmrvl_resume(struct usb_interface *intf)
{
    ...
    nfc_info(&drv_data->udev->dev, "intf %p\n", intf);
    ...
}


Current thread: