From patchwork Wed Dec 20 19:51:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 10126473 X-Patchwork-Delegate: sameo@linux.intel.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F2F176019C for ; Wed, 20 Dec 2017 19:51:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E5E2929890 for ; Wed, 20 Dec 2017 19:51:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DAE2B2989B; Wed, 20 Dec 2017 19:51:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7989A29890 for ; Wed, 20 Dec 2017 19:51:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756745AbdLTTvp (ORCPT ); Wed, 20 Dec 2017 14:51:45 -0500 Received: from mail-pl0-f68.google.com ([209.85.160.68]:37412 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756615AbdLTTvj (ORCPT ); Wed, 20 Dec 2017 14:51:39 -0500 Received: by mail-pl0-f68.google.com with SMTP id s3so9608559plp.4 for ; Wed, 20 Dec 2017 11:51:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Q7b33P81Dqi1buU+SZECfMgqa7so/MUyD350h11szic=; b=g6KqpflgqnaQOgO+ea8Nn5HIDUfPH3KJTwVwO9kkhOEZQWKSDVE9/t1r0snEnbCtMg IdgbfV+NpenUdianA3yD2IddS7rStV/PC8LbQx6v4wTFfpZJP7DAWT6YdRizFvgnDdIX Hy1QGRVOFlfUxdh2e9MzS44MhSB3GusLd5yKk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Q7b33P81Dqi1buU+SZECfMgqa7so/MUyD350h11szic=; b=FJDys1QTpiSZrVqGh59jlZ3AoS7Ypdt69/wvQFnSzaoSn2OZETUTGMWN0Oe+WkpMmy GdBZiJM1LfPoKf9/GFfLTpyXa4nwGmdDB5xHT6TStFhsJlc0leAd2LYgKiGcwBbhPbB+ sFlsoclh+mwrnlUtYftWR+qSy2JO2CGhhF+FEvZfJuGx2cfUrPSvJPH1jn4gKSXrb0dD QbNm/cOy7JyARZ3/YWW7gcPV+37DKkoISVTQ6XJZj1OQlO7Ty7G0QKkvWEDbSzgRkW+L iXhgUejKeXsuFo+zK8yCkRaBA/hjljC096LKM9ul8uRzWHxa9hDO97jEnbbcyZmcJ8Kh o2LA== X-Gm-Message-State: AKGB3mIntZiHbNbsp3VjF0JASayg74toVeygxrevHd6uziQGqgr7fXWp 08dgBD7YsmDaOl8XIvW+URkzIw== X-Google-Smtp-Source: ACJfBouM/yGxGiIgX0a7rDYvNGhQ6yttUn8+YoRjjWcnyUNn/8uB2NtGCWvGRZLQGVlX5XWNDhHpIg== X-Received: by 10.84.242.134 with SMTP id d6mr7934028pll.98.1513799499067; Wed, 20 Dec 2017 11:51:39 -0800 (PST) Received: from localhost.localdomain ([106.51.17.191]) by smtp.gmail.com with ESMTPSA id g2sm36715867pfc.130.2017.12.20.11.51.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Dec 2017 11:51:37 -0800 (PST) From: Amit Pundir To: lkml , linux-wireless@vger.kernel.org Cc: Suren Baghdasaryan , Samuel Ortiz , Christophe Ricard , Andy Shevchenko , John Stultz , Dmitry Shmidt , Todd Kjos , Android Kernel Team Subject: [RFC][PATCH 2/4] NFC: st21nfca: Fix memory OOB and leak issues in connectivity events handler Date: Thu, 21 Dec 2017 01:21:22 +0530 Message-Id: <1513799484-12505-3-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1513799484-12505-1-git-send-email-amit.pundir@linaro.org> References: <1513799484-12505-1-git-send-email-amit.pundir@linaro.org> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Suren Baghdasaryan Overflow on memcpy is possible in kernel driver for st21nfca's NFC HCI layer when handling connectivity events if aid_len or params_len are bigger than the buffer size. Memory leak is possible when parameter tag is invalid. Signed-off-by: Suren Baghdasaryan Signed-off-by: Amit Pundir --- drivers/nfc/st21nfca/se.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c index 4bed9e842db3..acdce231e227 100644 --- a/drivers/nfc/st21nfca/se.c +++ b/drivers/nfc/st21nfca/se.c @@ -322,23 +322,33 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, * AID 81 5 to 16 * PARAMETERS 82 0 to 255 */ - if (skb->len < NFC_MIN_AID_LENGTH + 2 && + if (skb->len < NFC_MIN_AID_LENGTH + 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) return -EPROTO; + /* + * Buffer should have enough space for at least + * two tag fields + two length fields + aid_len (skb->data[1]) + */ + if (skb->len < skb->data[1] + 4) + return -EPROTO; + transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev, skb->len - 2, GFP_KERNEL); transaction->aid_len = skb->data[1]; memcpy(transaction->aid, &skb->data[2], transaction->aid_len); + transaction->params_len = skb->data[transaction->aid_len + 3]; - /* Check next byte is PARAMETERS tag (82) */ + /* Check next byte is PARAMETERS tag (82) and the length field */ if (skb->data[transaction->aid_len + 2] != - NFC_EVT_TRANSACTION_PARAMS_TAG) + NFC_EVT_TRANSACTION_PARAMS_TAG || + skb->len < transaction->aid_len + transaction->params_len + 4) { + devm_kfree(dev, transaction); return -EPROTO; + } - transaction->params_len = skb->data[transaction->aid_len + 3]; memcpy(transaction->params, skb->data + transaction->aid_len + 4, transaction->params_len);