Security probe of Qualcomm MSM data services
Aleksander Morgado
aleksander at aleksander.es
Mon May 10 07:32:14 UTC 2021
Hey Tom,
> I thought this article might be of interest. Has there been any
> security testing of libqmi?
> https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/
>
Quite interesting read, thanks for pointing it out!
In the past we had several issues with parsing QMI messages that were
malformed, because the methods we were using were not strong enough
(e.g. qmi_utils_read_string_from_buffer()), but in 1.10 we introduced
a more robust parsing with error reporting (e.g.
qmi_message_tlv_read_string()), and we have not seen issues after
that... which doesn't mean they don't exist! (e.g. see this overflow
issue in libmbim:
https://gitlab.freedesktop.org/mobile-broadband/libmbim/-/issues/16).
But anyway, I don't think our case is as critical as the one you point
out in that article; in our case libqmi (and libmbim) will parse
exclusively messages sent by the WWAN module, and the worst case that
could happen is that the program using the library (e.g. ModemManager)
crashes. If anyone thinks of a more severe scenario please let me
know.
My worry with the parsers is more related to being robust enough to
handle e.g. wrongly encoded TLVs (because of our own bad encoded TLV
expectation).
--
Aleksander
https://aleksander.es
More information about the libqmi-devel
mailing list