lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 24 Aug 2022 19:21:44 +0300
From:   Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>
To:     מיכאל שטראוס 
        <mdstrauss91@...il.com>
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        Jakub Kicinski <kuba@...nel.org>,
        "David S. Miller" <davem@...emloft.net>, linux-nfc@...ts.01.org
Subject: Re: ST ST95HF DRIVER security bug

On 24/08/2022 18:12, מיכאל שטראוס wrote:
>>
>> Please use scripts/get_maintainers.pl to Cc relevant people. You got the
>> same comment last time as well...
>>
> Sorry my bad, i forgot we already contacted.
> I actually ran it and your name came up for some reason.
> 
>> ./scripts/get_maintainer.pl drivers/nfc/st95hf/spi.c
> 
> Bad divisor in main::vcs_assign: 0
> 
> Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org> (maintainer:NFC
>> SUBSYSTEM)
> 
> netdev@...r.kernel.org (open list:NFC SUB

and other addresses... why removing them?

> 
> 
> 
> 
>>  What does it mean "current source"? Please be specific which exactly
> 
> kernel version is affected, which commit introduced it.
> 
> *Effected version: *
> - v6.0-rc2 <https://github.com/torvalds/linux/releases/tag/v6.0-rc2>  ...
> - *v4.5-rc1* <https://github.com/torvalds/linux/releases/tag/v4.5-rc1>
> *Introducing commit:  *
> https://github.com/torvalds/linux/commit/cab47333f0f75b685bce1facecb73bf3632e1360
> 
> Then the risk is quite low, right? SPI busses are not user hot-pluggable
>> except some development boards (so again a real niche). Basically it's
>> impact is negligible
>>
> Agreed.
> 
> What does it mean "remote device"? NFC? NFC tag does not talk over SPI...
>>
> I was wondering maybe the tag is the source for the content that actually
> overflows the kernel buffer,
> In which case it changes the picture a bit.

The buffer is used for SPI transfer, so the NFC tag - except that it
works with that device - is rather long shot.


Best regards,
Krzysztof

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ