From patchwork Tue Apr 5 13:40:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1613430 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=sCDxyKZ9; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KXph933cZz9s2R for ; Tue, 5 Apr 2022 23:41:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1nbjQi-0000P7-JI; Tue, 05 Apr 2022 13:41:08 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1nbjQg-0000P0-Ad for kernel-team@lists.ubuntu.com; Tue, 05 Apr 2022 13:41:06 +0000 Received: from quatroqueijos.. (unknown [179.93.182.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 5FA023FD88 for ; Tue, 5 Apr 2022 13:41:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1649166066; bh=dT4J0aTKXHjeS6St4vSpCOR1A5727XMKh4HM0rVWmHM=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=sCDxyKZ90tjIKb5hj8vW5w/Mx2Jr250vb5bEmeSo8tgUO5iI+v2Q8ZjNofV4jzTBS KkiUC/B3fDZdF6Fij0cEVNxlfWH3HAAAm//CnLbVcvQTz6GExBnb/0km3H7n3DzQN6 BYkLVVyD3ywzBgWS5X0TuCcTSk6PH3sTG7OW0Qqro0dZgcAcd8q8+NU3D+Hl/2EATp YYjb1O6lCleMeL7Nc9+810bndGpIO+6NB6h0opjTm46RAvZbvCZot3iQ+KWiVNnPVV nvUjESPWB64WYk3cXMPbOgMoG+NEvrLiQjog9SBnhszYxhUf8iZbcwaXY+nJ35Ck4W LN9uvN3V2kX5Q== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic/Focal/Impish/Jammy] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION Date: Tue, 5 Apr 2022 10:40:56 -0300 Message-Id: <20220405134056.123841-1-cascardo@canonical.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jordy Zomer It appears that there are some buffer overflows in EVT_TRANSACTION. This happens because the length parameters that are passed to memcpy come directly from skb->data and are not guarded in any way. Signed-off-by: Jordy Zomer Reviewed-by: Krzysztof Kozlowski Signed-off-by: David S. Miller (cherry picked from commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221) CVE-2022-26490 Signed-off-by: Thadeu Lima de Souza Cascardo Acked-by: Bartlomiej Zolnierkiewicz Acked-by: Tim Gardner --- drivers/nfc/st21nfca/se.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c index c8bdf078d111..0841e0e370a0 100644 --- a/drivers/nfc/st21nfca/se.c +++ b/drivers/nfc/st21nfca/se.c @@ -320,6 +320,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, return -ENOMEM; transaction->aid_len = skb->data[1]; + + /* Checking if the length of the AID is valid */ + if (transaction->aid_len > sizeof(transaction->aid)) + return -EINVAL; + memcpy(transaction->aid, &skb->data[2], transaction->aid_len); @@ -329,6 +334,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, return -EPROTO; transaction->params_len = skb->data[transaction->aid_len + 3]; + + /* Total size is allocated (skb->len - 2) minus fixed array members */ + if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction))) + return -EINVAL; + memcpy(transaction->params, skb->data + transaction->aid_len + 4, transaction->params_len);