2018-05-03 18:39:36

by Amit Pundir

[permalink] [raw]
Subject: [PATCH v3 1/4] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ

From: Suren Baghdasaryan <[email protected]>

Out of bounds kernel accesses in st21nfca's NFC HCI layer
might happen when handling ATR_REQ events if user-specified
atr_req->length is bigger than the buffer size. In
that case memcpy() inside st21nfca_tm_send_atr_res() will
read extra bytes resulting in OOB read from the kernel heap.

cc: Stable <[email protected]>
Signed-off-by: Suren Baghdasaryan <[email protected]>
Signed-off-by: Amit Pundir <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
---
v3..v1:
Resend. No changes.

drivers/nfc/st21nfca/dep.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c
index fd08be2917e6..3420c5104c94 100644
--- a/drivers/nfc/st21nfca/dep.c
+++ b/drivers/nfc/st21nfca/dep.c
@@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,

atr_req = (struct st21nfca_atr_req *)skb->data;

- if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+ if (atr_req->length < sizeof(struct st21nfca_atr_req) ||
+ atr_req->length > skb->len) {
r = -EPROTO;
goto exit;
}
--
2.7.4



2018-05-03 18:39:50

by Amit Pundir

[permalink] [raw]
Subject: [PATCH v3 3/4] NFC: fdp: Fix possible buffer overflow in WCS4000 NFC driver

From: Suren Baghdasaryan <[email protected]>

Possible buffer overflow when reading next_read_size bytes into
tmp buffer after next_read_size was extracted from a previous packet.

cc: Stable <[email protected]>
Signed-off-by: Suren Baghdasaryan <[email protected]>
Signed-off-by: Amit Pundir <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
---
v3:
Reset next_read_size to a more readable macro FDP_NCI_I2C_MIN_PAYLOAD
instead of 5.

v2:
Remove redundant __func__ from dev_dgb().

drivers/nfc/fdp/i2c.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
index c4da50e07bbc..2c5ed2224c5e 100644
--- a/drivers/nfc/fdp/i2c.c
+++ b/drivers/nfc/fdp/i2c.c
@@ -176,6 +176,15 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb)
/* Packet that contains a length */
if (tmp[0] == 0 && tmp[1] == 0) {
phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3;
+ /*
+ * Ensure next_read_size does not exceed sizeof(tmp)
+ * for reading that many bytes during next iteration
+ */
+ if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) {
+ dev_dbg(&client->dev, "corrupted packet\n");
+ phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD;
+ goto flush;
+ }
} else {
phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD;

--
2.7.4


2018-05-03 18:40:11

by Amit Pundir

[permalink] [raw]
Subject: [PATCH v3 4/4] NFC: fdp: Remove __func__ from dev_dbg()

Remove redundant __func__ parameter from dev_dgb() calls and
delete empty dev_dbg() trace calls, which are redundant if
function tracer is enabled.

Signed-off-by: Amit Pundir <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
---
v3:
Updated commit message.

v2:
Deleted empty dev_dbg() trace calls, which are redundant if
function tracer is enabled.

drivers/nfc/fdp/fdp.c | 18 +++---------------
drivers/nfc/fdp/i2c.c | 17 ++++-------------
2 files changed, 7 insertions(+), 28 deletions(-)

diff --git a/drivers/nfc/fdp/fdp.c b/drivers/nfc/fdp/fdp.c
index d5784a47fc13..f64a6fd65c41 100644
--- a/drivers/nfc/fdp/fdp.c
+++ b/drivers/nfc/fdp/fdp.c
@@ -249,8 +249,6 @@ static int fdp_nci_open(struct nci_dev *ndev)
struct fdp_nci_info *info = nci_get_drvdata(ndev);
struct device *dev = &info->phy->i2c_dev->dev;

- dev_dbg(dev, "%s\n", __func__);
-
r = info->phy_ops->enable(info->phy);

return r;
@@ -261,7 +259,6 @@ static int fdp_nci_close(struct nci_dev *ndev)
struct fdp_nci_info *info = nci_get_drvdata(ndev);
struct device *dev = &info->phy->i2c_dev->dev;

- dev_dbg(dev, "%s\n", __func__);
return 0;
}

@@ -270,8 +267,6 @@ static int fdp_nci_send(struct nci_dev *ndev, struct sk_buff *skb)
struct fdp_nci_info *info = nci_get_drvdata(ndev);
struct device *dev = &info->phy->i2c_dev->dev;

- dev_dbg(dev, "%s\n", __func__);
-
if (atomic_dec_and_test(&info->data_pkt_counter))
info->data_pkt_counter_cb(ndev);

@@ -283,7 +278,6 @@ int fdp_nci_recv_frame(struct nci_dev *ndev, struct sk_buff *skb)
struct fdp_nci_info *info = nci_get_drvdata(ndev);
struct device *dev = &info->phy->i2c_dev->dev;

- dev_dbg(dev, "%s\n", __func__);
return nci_recv_frame(ndev, skb);
}
EXPORT_SYMBOL(fdp_nci_recv_frame);
@@ -498,8 +492,6 @@ static int fdp_nci_setup(struct nci_dev *ndev)
int r;
u8 patched = 0;

- dev_dbg(dev, "%s\n", __func__);
-
r = nci_core_init(ndev);
if (r)
goto error;
@@ -609,7 +601,6 @@ static int fdp_nci_core_reset_ntf_packet(struct nci_dev *ndev,
struct fdp_nci_info *info = nci_get_drvdata(ndev);
struct device *dev = &info->phy->i2c_dev->dev;

- dev_dbg(dev, "%s\n", __func__);
info->setup_reset_ntf = 1;
wake_up(&info->setup_wq);

@@ -622,7 +613,6 @@ static int fdp_nci_prop_patch_ntf_packet(struct nci_dev *ndev,
struct fdp_nci_info *info = nci_get_drvdata(ndev);
struct device *dev = &info->phy->i2c_dev->dev;

- dev_dbg(dev, "%s\n", __func__);
info->setup_patch_ntf = 1;
info->setup_patch_status = skb->data[0];
wake_up(&info->setup_wq);
@@ -637,7 +627,7 @@ static int fdp_nci_prop_patch_rsp_packet(struct nci_dev *ndev,
struct device *dev = &info->phy->i2c_dev->dev;
u8 status = skb->data[0];

- dev_dbg(dev, "%s: status 0x%x\n", __func__, status);
+ dev_dbg(dev, "status 0x%x\n", status);
nci_req_complete(ndev, status);

return 0;
@@ -650,7 +640,7 @@ static int fdp_nci_prop_set_production_data_rsp_packet(struct nci_dev *ndev,
struct device *dev = &info->phy->i2c_dev->dev;
u8 status = skb->data[0];

- dev_dbg(dev, "%s: status 0x%x\n", __func__, status);
+ dev_dbg(dev, "status 0x%x\n", status);
nci_req_complete(ndev, status);

return 0;
@@ -695,7 +685,7 @@ static int fdp_nci_core_get_config_rsp_packet(struct nci_dev *ndev,
dev_dbg(dev, "OTP version %d\n", info->otp_version);
dev_dbg(dev, "RAM version %d\n", info->ram_version);
dev_dbg(dev, "key index %d\n", info->key_index);
- dev_dbg(dev, "%s: status 0x%x\n", __func__, rsp->status);
+ dev_dbg(dev, "status 0x%x\n", rsp->status);

nci_req_complete(ndev, rsp->status);

@@ -798,8 +788,6 @@ void fdp_nci_remove(struct nci_dev *ndev)
struct fdp_nci_info *info = nci_get_drvdata(ndev);
struct device *dev = &info->phy->i2c_dev->dev;

- dev_dbg(dev, "%s\n", __func__);
-
nci_unregister_device(ndev);
nci_free_device(ndev);
}
diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
index 2c5ed2224c5e..bb14d30c568c 100644
--- a/drivers/nfc/fdp/i2c.c
+++ b/drivers/nfc/fdp/i2c.c
@@ -57,7 +57,6 @@ static int fdp_nci_i2c_enable(void *phy_id)
{
struct fdp_i2c_phy *phy = phy_id;

- dev_dbg(&phy->i2c_dev->dev, "%s\n", __func__);
fdp_nci_i2c_reset(phy);

return 0;
@@ -67,7 +66,6 @@ static void fdp_nci_i2c_disable(void *phy_id)
{
struct fdp_i2c_phy *phy = phy_id;

- dev_dbg(&phy->i2c_dev->dev, "%s\n", __func__);
fdp_nci_i2c_reset(phy);
}

@@ -113,8 +111,8 @@ static int fdp_nci_i2c_write(void *phy_id, struct sk_buff *skb)
}

if (r < 0 || r != skb->len)
- dev_dbg(&client->dev, "%s: error err=%d len=%d\n",
- __func__, r, skb->len);
+ dev_dbg(&client->dev, "error err=%d len=%d\n",
+ r, skb->len);

if (r >= 0) {
if (r != skb->len) {
@@ -152,8 +150,7 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb)

r = i2c_master_recv(client, tmp, len);
if (r != len) {
- dev_dbg(&client->dev, "%s: i2c recv err: %d\n",
- __func__, r);
+ dev_dbg(&client->dev, "i2c recv err: %d\n", r);
goto flush;
}

@@ -167,8 +164,7 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb)
* and force resynchronization
*/
if (lrc) {
- dev_dbg(&client->dev, "%s: corrupted packet\n",
- __func__);
+ dev_dbg(&client->dev, "corrupted packet\n");
phy->next_read_size = 5;
goto flush;
}
@@ -224,7 +220,6 @@ static irqreturn_t fdp_nci_i2c_irq_thread_fn(int irq, void *phy_id)
}

client = phy->i2c_dev;
- dev_dbg(&client->dev, "%s\n", __func__);

r = fdp_nci_i2c_read(phy, &skb);

@@ -305,8 +300,6 @@ static int fdp_nci_i2c_probe(struct i2c_client *client)
u32 clock_freq;
int r = 0;

- dev_dbg(dev, "%s\n", __func__);
-
if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
nfc_err(dev, "No I2C_FUNC_I2C support\n");
return -ENODEV;
@@ -368,8 +361,6 @@ static int fdp_nci_i2c_remove(struct i2c_client *client)
{
struct fdp_i2c_phy *phy = i2c_get_clientdata(client);

- dev_dbg(&client->dev, "%s\n", __func__);
-
fdp_nci_remove(phy->ndev);
fdp_nci_i2c_disable(phy);

--
2.7.4


2018-05-03 18:40:27

by Amit Pundir

[permalink] [raw]
Subject: [PATCH v3 2/4] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands

From: Suren Baghdasaryan <[email protected]>

When handling SHDLC I-Frame commands "pipe" field used for indexing
into an array should be checked before usage. If left unchecked it
might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).

cc: Stable <[email protected]>
Signed-off-by: Suren Baghdasaryan <[email protected]>
Signed-off-by: Amit Pundir <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
---
v3..v1:
Resend. No changes.

net/nfc/hci/core.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
index ac8030c4bcf8..19cb2e473ea6 100644
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
}
create_info = (struct hci_create_pipe_resp *)skb->data;

+ if (create_info->pipe >= NFC_HCI_MAX_PIPES) {
+ status = NFC_HCI_ANY_E_NOK;
+ goto exit;
+ }
+
/* Save the new created pipe and bind with local gate,
* the description for skb->data[3] is destination gate id
* but since we received this cmd from host controller, we
@@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
}
delete_info = (struct hci_delete_pipe_noti *)skb->data;

+ if (delete_info->pipe >= NFC_HCI_MAX_PIPES) {
+ status = NFC_HCI_ANY_E_NOK;
+ goto exit;
+ }
+
hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;
hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;
break;
--
2.7.4


2018-06-09 09:52:43

by Samuel Ortiz

[permalink] [raw]
Subject: Re: [PATCH v3 1/4] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ

Hi Amit,

On Fri, May 04, 2018 at 12:08:53AM +0530, Amit Pundir wrote:
> From: Suren Baghdasaryan <[email protected]>
>
> Out of bounds kernel accesses in st21nfca's NFC HCI layer
> might happen when handling ATR_REQ events if user-specified
> atr_req->length is bigger than the buffer size. In
> that case memcpy() inside st21nfca_tm_send_atr_res() will
> read extra bytes resulting in OOB read from the kernel heap.
>
> cc: Stable <[email protected]>
> Signed-off-by: Suren Baghdasaryan <[email protected]>
> Signed-off-by: Amit Pundir <[email protected]>
> Reviewed-by: Andy Shevchenko <[email protected]>
> ---
> v3..v1:
> Resend. No changes.
>
> drivers/nfc/st21nfca/dep.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
All 4 patches applied to nfc-next, thanks.

Cheers,
Samuel.