From: Suren Baghdasaryan surenb@google.com
Out of bounds kernel accesses in st21nfca's NFC HCI layer might happen when handling ATR_REQ events if user-specified atr_req->length is bigger than the buffer size. In that case memcpy() inside st21nfca_tm_send_atr_res() will read extra bytes resulting in OOB read from the kernel heap.
cc: Stable stable@vger.kernel.org Signed-off-by: Suren Baghdasaryan surenb@google.com Signed-off-by: Amit Pundir amit.pundir@linaro.org Reviewed-by: Andy Shevchenko andriy.shevchenko@linux.intel.com --- v3..v1: Resend. No changes.
drivers/nfc/st21nfca/dep.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c index fd08be2917e6..3420c5104c94 100644 --- a/drivers/nfc/st21nfca/dep.c +++ b/drivers/nfc/st21nfca/dep.c @@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
atr_req = (struct st21nfca_atr_req *)skb->data;
- if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + if (atr_req->length < sizeof(struct st21nfca_atr_req) || + atr_req->length > skb->len) { r = -EPROTO; goto exit; }
From: Suren Baghdasaryan surenb@google.com
When handling SHDLC I-Frame commands "pipe" field used for indexing into an array should be checked before usage. If left unchecked it might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).
cc: Stable stable@vger.kernel.org Signed-off-by: Suren Baghdasaryan surenb@google.com Signed-off-by: Amit Pundir amit.pundir@linaro.org Reviewed-by: Andy Shevchenko andriy.shevchenko@linux.intel.com --- v3..v1: Resend. No changes.
net/nfc/hci/core.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c index ac8030c4bcf8..19cb2e473ea6 100644 --- a/net/nfc/hci/core.c +++ b/net/nfc/hci/core.c @@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd, } create_info = (struct hci_create_pipe_resp *)skb->data;
+ if (create_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + /* Save the new created pipe and bind with local gate, * the description for skb->data[3] is destination gate id * but since we received this cmd from host controller, we @@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd, } delete_info = (struct hci_delete_pipe_noti *)skb->data;
+ if (delete_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE; hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST; break;
From: Suren Baghdasaryan surenb@google.com
Possible buffer overflow when reading next_read_size bytes into tmp buffer after next_read_size was extracted from a previous packet.
cc: Stable stable@vger.kernel.org Signed-off-by: Suren Baghdasaryan surenb@google.com Signed-off-by: Amit Pundir amit.pundir@linaro.org Reviewed-by: Andy Shevchenko andriy.shevchenko@linux.intel.com --- v3: Reset next_read_size to a more readable macro FDP_NCI_I2C_MIN_PAYLOAD instead of 5.
v2: Remove redundant __func__ from dev_dgb().
drivers/nfc/fdp/i2c.c | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c index c4da50e07bbc..2c5ed2224c5e 100644 --- a/drivers/nfc/fdp/i2c.c +++ b/drivers/nfc/fdp/i2c.c @@ -176,6 +176,15 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb) /* Packet that contains a length */ if (tmp[0] == 0 && tmp[1] == 0) { phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3; + /* + * Ensure next_read_size does not exceed sizeof(tmp) + * for reading that many bytes during next iteration + */ + if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) { + dev_dbg(&client->dev, "corrupted packet\n"); + phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD; + goto flush; + } } else { phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD;
Hi Amit,
On Fri, May 04, 2018 at 12:08:53AM +0530, Amit Pundir wrote:
From: Suren Baghdasaryan surenb@google.com
Out of bounds kernel accesses in st21nfca's NFC HCI layer might happen when handling ATR_REQ events if user-specified atr_req->length is bigger than the buffer size. In that case memcpy() inside st21nfca_tm_send_atr_res() will read extra bytes resulting in OOB read from the kernel heap.
cc: Stable stable@vger.kernel.org Signed-off-by: Suren Baghdasaryan surenb@google.com Signed-off-by: Amit Pundir amit.pundir@linaro.org Reviewed-by: Andy Shevchenko andriy.shevchenko@linux.intel.com
v3..v1: Resend. No changes.
drivers/nfc/st21nfca/dep.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
All 4 patches applied to nfc-next, thanks.
Cheers, Samuel.
linux-stable-mirror@lists.linaro.org
-
Amit Pundir -
Samuel Ortiz