:: Re: [maemo-leste] ZDI-CAN-29089: Ne…
Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MSicelo at <-
 
Delete this message
Reply to this message
Author: Morgan Hughes
Date:  
To: Sicelo, zdi-disclosures@trendmicro.com
CC: Willy Tarreau, ofono@lists.linux.dev, secalert@redhat.com, ivo.g.dimitrov.75, maemo-leste
Subject: Re: [maemo-leste] ZDI-CAN-29089: New Vulnerability Report
On 2026-03-12 13:13, Sicelo wrote:
> Community members will work on these. As with any other open-source
> projects, patches welcome.

This looks a lot like a problem I encountered on a buggy modem in October and submitted a
patch for.  I've re-attached the patch here, perhaps it was missed because I didn't submit
it using git?

Morgan Hughes


>
>
>
> On Thu, Mar 12, 2026 at 07:13:20PM +0000,zdi-disclosures@??? wrote:
>> Hello Willy,
>>
>> Noted thank you!
>>
>> Any updates on this issue?
>>
>> Thanks,
>> ZDI
>>
>> -----Original Message-----
>> From: Willy Tarreau<w@???>
>> Sent: Tuesday, February 10, 2026 9:02 AM
>> To: ZDI Disclosures Mailbox<zdi-disclosures@???>
>> Cc:ofono@???;secalert@???;security@???
>> Subject: Re: ZDI-CAN-29089: New Vulnerability Report
>>
>> Hello,
>>
>> On Tue, Feb 10, 2026 at 04:54:46PM +0000,zdi-disclosures@??? wrote:
>>> ZDI-CAN-29089: oFono MBIM SMS Handling Heap-based Buffer Overflow Arbitrary Code Execution Vulnerability
>>>
>>> -- CVSS -----------------------------------------
>>>
>>> 6.8: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>>>
>>> -- ABSTRACT -------------------------------------
>>>
>>> Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
>>> oFono - oFono
>>>
>>> -- VULNERABILITY DETAILS ------------------------
>>> * Version tested:20.0.3
>>> * Installerfile:agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
>>> * Platform tested:Raspberry Pi
>> (...)
>>
>> Please note that none of these 3 reports concern code in the Linux
>> kernel, sosecurity@??? can be dropped from future exchanges.
>>
>> Thanks,
>> Willy
>> TREND MICRO EMAIL NOTICE
>> The information contained in this email and any attachments is confidential
>> and may be subject to copyright or other intellectual property protection.
>> If you are not the intended recipient, you are not authorized to use or
>> disclose this information, and we request that you notify us by reply mail or
>> telephone and delete the original message from your mail system.
>> For details about what personal information we collect and why, please see our Privacy Notice on our website at: [https://www.trendmicro.com/privacy]
>>
>>
diff --git a/drivers/mbimmodem/mbim.c b/drivers/mbimmodem/mbim.c
index c405761d..4322f5ad 100644
--- a/drivers/mbimmodem/mbim.c
+++ b/drivers/mbimmodem/mbim.c
@@ -18,6 +18,7 @@
#include <linux/types.h>

#include <ell/ell.h>
+#include <ell/useful.h> 

 #include "mbim.h"
 #include "mbim-message.h"
@@ -613,6 +614,15 @@ static bool command_read_handler(struct l_io *io, void *user_data)
     hdr = (struct mbim_message_header *) device->header;
     type = L_LE32_TO_CPU(hdr->type);


+    if (unlikely(hdr->len > MAX_CONTROL_TRANSFER)) {
+        char *hex = l_util_hexstring(device->header,
+                        sizeof(struct mbim_message_header));
+        l_warn("MBIM: skip implausible hdr %s: len 0x%x type 0x%x", hex,
+            L_LE32_TO_CPU(hdr->len), L_LE32_TO_CPU(hdr->type));
+        l_free(hex);
+        return false;
+    }
+
     if (device->segment_bytes_remaining == 0)
         device->segment_bytes_remaining =
                     L_LE32_TO_CPU(hdr->len) -

This message was posted to the following mailing lists:
maemo-leste
Mailing List Info | Nearby Messages		<-Re: [maemo-leste] ZDI-CAN-29089: New Vulnerability Report[maemo-leste] Project for maemo leste->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)