From: Denis Efremov <denis.e.efremov@oracle.com>
To: unlisted-recipients:; (no To-header on input)
Cc: Jordy Zomer <jordy@pwning.systems>,
stable@vger.kernel.org,
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>,
Denis Efremov <denis.e.efremov@oracle.com>
Subject: [PATCH] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
Date: Mon, 21 Mar 2022 20:40:06 +0300 [thread overview]
Message-ID: <20220321174006.47972-1-denis.e.efremov@oracle.com> (raw)
In-Reply-To: <20220111164451.3232987-1-jordy@pwning.systems>
From: Jordy Zomer <jordy@pwning.systems>
It appears that there are some buffer overflows in EVT_TRANSACTION.
This happens because the length parameters that are passed to memcpy
come directly from skb->data and are not guarded in any way.
Link: https://lore.kernel.org/all/20220111164451.3232987-1-jordy@pwning.systems/#t
Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
Cc: stable@vger.kernel.org # 4.0+
Signed-off-by: Jordy Zomer <jordy@pwning.systems>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
---
CVE-2022-26490 was assigned to this patch. It looks like it's not in
the stable trees yet. I only added Link:/Fixes:/Cc: stable... to the
commit's message.
drivers/nfc/st21nfca/se.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
index a43fc4117fa5..c922f10d0d7b 100644
--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -316,6 +316,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
return -ENOMEM;
transaction->aid_len = skb->data[1];
+
+ /* Checking if the length of the AID is valid */
+ if (transaction->aid_len > sizeof(transaction->aid))
+ return -EINVAL;
+
memcpy(transaction->aid, &skb->data[2],
transaction->aid_len);
@@ -325,6 +330,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
return -EPROTO;
transaction->params_len = skb->data[transaction->aid_len + 3];
+
+ /* Total size is allocated (skb->len - 2) minus fixed array members */
+ if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
+ return -EINVAL;
+
memcpy(transaction->params, skb->data +
transaction->aid_len + 4, transaction->params_len);
--
2.35.1
next prev parent reply other threads:[~2022-03-21 17:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-17 17:17 [PATCH] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION Jordy Zomer
2021-11-18 7:04 ` [PATCH v2] " Jordy Zomer
2021-11-18 7:40 ` Krzysztof Kozlowski
2022-01-11 16:44 ` [PATCH v3] " Jordy Zomer
2022-01-12 10:07 ` Krzysztof Kozlowski
2022-01-12 17:25 ` Jakub Kicinski
2022-03-21 17:40 ` Denis Efremov [this message]
2022-03-22 7:11 ` [PATCH] " Greg KH
2022-03-22 8:58 ` [External] : " Denis Efremov
2022-03-24 12:51 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220321174006.47972-1-denis.e.efremov@oracle.com \
--to=denis.e.efremov@oracle.com \
--cc=jordy@pwning.systems \
--cc=krzysztof.kozlowski@canonical.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.