In cap_get_ims_certificate(), the certificate size is computed as:

  *size = op->response->payload_size - sizeof(*response);

Both operands are size_t (unsigned), so if a malformed Greybus module
sends a response with payload_size smaller than sizeof(*response),
the subtraction wraps to a very large value. The subsequent memcpy()
then causes a heap buffer overflow.

Add a payload size validation before the subtraction to ensure the
response is large enough to contain the fixed-size response header.

Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
 drivers/staging/greybus/authentication.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/greybus/authentication.c b/drivers/staging/greybus/authentication.c
index 97b9937bb..1c14ad184 100644
--- a/drivers/staging/greybus/authentication.c
+++ b/drivers/staging/greybus/authentication.c
@@ -132,6 +132,12 @@ static int cap_get_ims_certificate(struct gb_cap *cap, u32 class, u32 id,
 
 	response = op->response->payload;
 	*result = response->result_code;
+
+	if (op->response->payload_size < sizeof(*response)) {
+		ret = -EINVAL;
+		goto done;
+	}
+
 	*size = op->response->payload_size - sizeof(*response);
 	memcpy(certificate, response->certificate, *size);
 
-- 
2.43.0

On Sun, Apr 05, 2026 at 12:22:42AM +0100, Delene Tchio Romuald wrote:
> In cap_get_ims_certificate(), the certificate size is computed as:
> 
>   *size = op->response->payload_size - sizeof(*response);
> 
> Both operands are size_t (unsigned), so if a malformed Greybus module
> sends a response with payload_size smaller than sizeof(*response),
> the subtraction wraps to a very large value. The subsequent memcpy()
> then causes a heap buffer overflow.

How can you have a "malformed greybus module"?

Please fix your ai tool's threat model to be realistic :)

thanks,

greg k-h