oss-sec mailing list archives
Linux kernel < 4.14.111 drivers/nfc/nfcmrvl/usb.c kernel address dumps to user space
From: Fuqian Huang <huangfq.daxian () gmail com>
Date: Thu, 18 Apr 2019 21:34:15 +0800
In drivers/nfc/nfcmrvl/usb.c:164, nfcmrvl_tx_complete will dump the address of urb to dmesg, which allows local user to read kernel address via dmesg. static void nfcmrvl_tx_complete(struct urb *urb) { ... nfc_info(priv->dev, "urb %p status %d count %d\n", urb, urb->status, urb->actual_length); ... } In drivers/nfc/nfcmrvl/usb.c:308, nfcmrvl_probe will dump the address of inf to dmesg, which allows local user to read kernel address via dmesg. static int nfcmrvl_probe(struct usb_interface *intf, const struct usb_device_id *id) { ... nfc_info(&udev->dev, "intf %p id %p\n", intf, id); ... } In drivers/nfc/nfcmrvl/usb.c:368, nfcmrvl_disconnect will dump the address of inf to dmesg, which allows local user to read kernel address via dmesg. static void nfcmrvl_disconnect(struct usb_interface *intf) { ... nfc_info(&drv_data->udev->dev, "intf %p\n", intf); ... } In drivers/nfc/nfcmrvl/usb.c:375, nfcmrvl_suspendwill dump the address of inf to dmesg, which allows local user to read kernel address via dmesg. static int nfcmrvl_suspend(struct usb_interface *intf, pm_message_t message) { ... nfc_info(&drv_data->udev->dev, "intf %p\n", intf); ... } In drivers/nfc/nfcmrvl/usb.c:416, nfcmrvl_resume dump the address of inf to dmesg, which allows local user to read kernel address via dmesg. static int nfcmrvl_resume(struct usb_interface *intf) { ... nfc_info(&drv_data->udev->dev, "intf %p\n", intf); ... }
Current thread:
- Linux kernel < 4.14.111 drivers/nfc/nfcmrvl/usb.c kernel address dumps to user space Fuqian Huang (Apr 18)