From: Denis Efremov <denis.e.efremov@oracle.com>
To: Pavel Machek <pavel@ucw.cz>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
theflamefire89@gmail.com
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Jordy Zomer <jordy@pwning.systems>,
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [External] : Re: [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
Date: Thu, 2 Jun 2022 20:30:33 +0400 [thread overview]
Message-ID: <05a88b72-a814-1e46-4d77-c93fa6298b96@oracle.com> (raw)
In-Reply-To: <20220602161229.GA32444@duo.ucw.cz>
Hi,
On 6/2/22 20:12, Pavel Machek wrote:
> Hi!
>
>> commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
>>
>> It appears that there are some buffer overflows in EVT_TRANSACTION.
>> This happens because the length parameters that are passed to memcpy
>> come directly from skb->data and are not guarded in any way.
>>
>> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
>> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
>> Signed-off-by: David S. Miller <davem@davemloft.net>
>> Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> It seems that this patch causes an memory leak, transaction does not
> seem to be freed in the error paths.
>
> (I also wonder if the skb should be freed in the error paths...?)
>
> Reported-by: <theflamefire89@gmail.com>
Same for upstream code and it looks like the problem existed even
before this patch. I'll prepare an upstream patch and cc it to stable.
Thanks,
Denis
next prev parent reply other threads:[~2022-06-02 16:31 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION Greg Kroah-Hartman
2022-06-02 16:12 ` Pavel Machek
2022-06-02 16:30 ` Denis Efremov [this message]
2022-06-02 19:03 ` [External] : " Denis Efremov
2022-03-25 15:04 ` [PATCH 4.19 02/20] net: ipv6: fix skb_over_panic in __ip6_append_data Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 03/20] esp: Fix possible buffer overflow in ESP transformation Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 04/20] staging: fbtft: fb_st7789v: reset display before initialization Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 05/20] thermal: int340x: fix memory leak in int3400_notify() Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 06/20] llc: fix netdevice reference leaks in llc_ui_bind() Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 07/20] ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 08/20] ALSA: oss: Fix PCM OSS buffer allocation overflow Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 09/20] ALSA: pcm: Add stream lock during PCM reset ioctl operations Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 10/20] ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 11/20] ALSA: cmipci: Restore aux vol on suspend/resume Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 12/20] ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 13/20] drivers: net: xgene: Fix regression in CRC stripping Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 14/20] netfilter: nf_tables: initialize registers in nft_do_chain() Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 15/20] ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 16/20] ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 17/20] ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 18/20] crypto: qat - disable registration of algorithms Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 19/20] mac80211: fix potential double free on mesh join Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 20/20] nds32: fix access_ok() checks in get/put_user Greg Kroah-Hartman
2022-03-25 18:40 ` [PATCH 4.19 00/20] 4.19.237-rc1 review Pavel Machek
2022-03-25 23:25 ` Shuah Khan
2022-03-26 3:46 ` Samuel Zou
2022-03-26 14:04 ` Sudip Mukherjee
2022-03-26 14:24 ` Naresh Kamboju
2022-03-27 0:50 ` Guenter Roeck
2022-03-28 14:24 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=05a88b72-a814-1e46-4d77-c93fa6298b96@oracle.com \
--to=denis.e.efremov@oracle.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=jordy@pwning.systems \
--cc=krzysztof.kozlowski@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=stable@vger.kernel.org \
--cc=theflamefire89@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).