Re: [syzbot] WARNING in nci_add_new_protocol

[Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>]

On 02/12/2022 22:36, Kees Cook wrote:
> On Sun, Nov 27, 2022 at 02:26:30PM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    4312098baf37 Merge tag 'spi-fix-v6.1-rc6' of git://git.ker..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=12e25bb5880000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=b1129081024ee340
>> dashboard link: https://syzkaller.appspot.com/bug?extid=210e196cef4711b65139
>> compiler:       arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>> userspace arch: arm
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+210e196cef4711b65139@syzkaller.appspotmail.com
>>
>> ------------[ cut here ]------------
>> WARNING: CPU: 0 PID: 7843 at net/nfc/nci/ntf.c:260 nci_add_new_protocol+0x268/0x30c net/nfc/nci/ntf.c:260
>> memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)
> 
> This looks like a legitimate overflow flaw to me. Likely introduced with
> commit 019c4fbaa790 ("NFC: Add NCI multiple targets support").
> 
> These appear to be explicitly filling fixed-size arrays:
> 
> struct nfc_target {
>         u32 idx;
>         u32 supported_protocols;
>         u16 sens_res;
>         u8 sel_res;
>         u8 nfcid1_len;
>         u8 nfcid1[NFC_NFCID1_MAXSIZE];
>         u8 nfcid2_len;
>         u8 nfcid2[NFC_NFCID2_MAXSIZE];
>         u8 sensb_res_len;
>         u8 sensb_res[NFC_SENSB_RES_MAXSIZE];
>         u8 sensf_res_len;
>         u8 sensf_res[NFC_SENSF_RES_MAXSIZE];
>         u8 hci_reader_gate;
>         u8 logical_idx;
>         u8 is_iso15693;
>         u8 iso15693_dsfid;
>         u8 iso15693_uid[NFC_ISO15693_UID_MAXSIZE];
> };
> 
> static int nci_add_new_protocol(..., struct nfc_target *target, ...)
> {
> 	...
>         } else if (rf_tech_and_mode == NCI_NFC_B_PASSIVE_POLL_MODE) {
>                 nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params;
> 
>                 target->sensb_res_len = nfcb_poll->sensb_res_len;
>                 if (target->sensb_res_len > 0) {
>                         memcpy(target->sensb_res, nfcb_poll->sensb_res,
>                                target->sensb_res_len);
>                 }
>         } else if (rf_tech_and_mode == NCI_NFC_F_PASSIVE_POLL_MODE) {
>                 nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params;
> 
>                 target->sensf_res_len = nfcf_poll->sensf_res_len;
>                 if (target->sensf_res_len > 0) {
>                         memcpy(target->sensf_res, nfcf_poll->sensf_res,
>                                target->sensf_res_len);
>                 }
>         } else if (rf_tech_and_mode == NCI_NFC_V_PASSIVE_POLL_MODE) {
>                 nfcv_poll = (struct rf_tech_specific_params_nfcv_poll *)params;
> 
>                 target->is_iso15693 = 1;
>                 target->iso15693_dsfid = nfcv_poll->dsfid;
>                 memcpy(target->iso15693_uid, nfcv_poll->uid, NFC_ISO15693_UID_MAXSIZE);
> 	}
> 	...
> 
> But the sizes are unbounds-checked, which means the buffers can be
> overwritten (as seen with the syzkaller report).
> 
> Perhaps this to fix it?
> 
> diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
> index 282c51051dcc..3a79f07bfea7 100644
> --- a/net/nfc/nci/ntf.c
> +++ b/net/nfc/nci/ntf.c
> @@ -240,6 +240,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
>  		target->sens_res = nfca_poll->sens_res;
>  		target->sel_res = nfca_poll->sel_res;
>  		target->nfcid1_len = nfca_poll->nfcid1_len;
> +		if (target->nfcid1_len > ARRAY_SIZE(target->target->nfcid1))
> +			return -EPROTO;

Or truncate (copy up to size of array) but both solutions look fine to me.

> 

Best regards,
Krzysztof