From patchwork Wed Apr 18 10:05:04 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 10347753
X-Patchwork-Delegate: sameo@linux.intel.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A6A516053F for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 18 Apr 2018 10:05:56 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 95569285D8
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 18 Apr 2018 10:05:56 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 88E73285DB; Wed, 18 Apr 2018 10:05:56 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2ABD8285D8
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 18 Apr 2018 10:05:56 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753426AbeDRKFn (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Wed, 18 Apr 2018 06:05:43 -0400
Received: from mail-pg0-f66.google.com ([74.125.83.66]:45112 "EHLO
	mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752983AbeDRKF2 (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Wed, 18 Apr 2018 06:05:28 -0400
Received: by mail-pg0-f66.google.com with SMTP id z21so626447pgv.12
	for <linux-wireless@vger.kernel.org>;
	Wed, 18 Apr 2018 03:05:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=TZBj15vhcZkL16Ta0GEOKA6YFvs3QXuieY8qcfuQ2Dg=;
	b=f4ScOL+kvsB1n2oHrfxVv7siv3wGHJzKQlab2ujoKM5bBCjc+vd79n3HDdSDM+P6Hp
	gPVgUYJtiRATXiFEv4omAat3hkGhHbwHoHKFXG2cnHVzU1SISvSR5YZLHvltIrk3Kv93
	/xJqnQjFCQklk5b/HUG2RXJNccwlozf68YxsE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=TZBj15vhcZkL16Ta0GEOKA6YFvs3QXuieY8qcfuQ2Dg=;
	b=quvwO8QZ3j4FscdqsdsVHCz9RQrqjvSxsrGhw5utb7UkgV4Gahd278mAKDRsNPIjt3
	MUQ6L6HnJ+qWGKxDuvHCGMpp82vwr9GlU2muoy6ObZw3qsxJmzrD1KZD0alQGnQz7qSL
	aXpp4GNT5qj53H6Sxzk4wBN4wBqWhyCexfzYBLmU3TsY1pK5yClWxnxBxcAaKyRkabUD
	OLv7nVf/JOpTXlnBdiPfinbEPKnwQqMdmvFkTY3K3Dm2Iq3+q9UKF/uilIquiulu3CBc
	4vZ8IpcILMA+T20mjXVIzfDkwVgSUCtVNnlGuor9Y+HEdziO+BywKoyEJTtFKGAsLxEy
	ln+A==
X-Gm-Message-State: ALQs6tD7ZZAG4Dm9/HsDbe8ynd6IU9siou20VQmNtTIOzG37voc7aswp
	VFo7yN3Xx9IGdtsTfOpK9gLuIg==
X-Google-Smtp-Source: 
 AIpwx4/wJA2f4PXWmQ/HyIs86dfk067BezorzgzYu8L2MVMUwM/nNll0EifXy5tmKKEF7IbU3pQEJg==
X-Received: by 10.99.125.78 with SMTP id m14mr1231947pgn.190.1524045927437;
	Wed, 18 Apr 2018 03:05:27 -0700 (PDT)
Received: from localhost.localdomain ([106.51.17.69])
	by smtp.gmail.com with ESMTPSA id
	z16sm1970298pfn.101.2018.04.18.03.05.23
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 18 Apr 2018 03:05:26 -0700 (PDT)
From: Amit Pundir <amit.pundir@linaro.org>
To: lkml <linux-kernel@vger.kernel.org>, linux-wireless@vger.kernel.org
Cc: Samuel Ortiz <sameo@linux.intel.com>,
	Christophe Ricard <christophe.ricard@gmail.com>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	John Stultz <john.stultz@linaro.org>,
	Dmitry Shmidt <dimitrysh@google.com>, Todd Kjos <tkjos@google.com>,
	Android Kernel Team <kernel-team@android.com>,
	Suren Baghdasaryan <surenb@google.com>
Subject: [RESEND][PATCH 4/4] NFC: fdp: Fix possible buffer overflow in
	WCS4000 NFC driver
Date: Wed, 18 Apr 2018 15:35:04 +0530
Message-Id: <1524045904-7005-5-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1524045904-7005-1-git-send-email-amit.pundir@linaro.org>
References: <1524045904-7005-1-git-send-email-amit.pundir@linaro.org>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Suren Baghdasaryan <surenb@google.com>

Possible buffer overflow when reading next_read_size bytes into
tmp buffer after next_read_size was extracted from a previous packet.

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/nfc/fdp/i2c.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
index c4da50e07bbc..08a4f82a2965 100644
--- a/drivers/nfc/fdp/i2c.c
+++ b/drivers/nfc/fdp/i2c.c
@@ -176,6 +176,16 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb)
 		/* Packet that contains a length */
 		if (tmp[0] == 0 && tmp[1] == 0) {
 			phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3;
+			/*
+			 * Ensure next_read_size does not exceed sizeof(tmp)
+			 * for reading that many bytes during next iteration
+			 */
+			if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) {
+				dev_dbg(&client->dev, "%s: corrupted packet\n",
+					__func__);
+				phy->next_read_size = 5;
+				goto flush;
+			}
 		} else {
 			phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD;