Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1846972imm;
        Sat, 9 Jun 2018 02:52:43 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJ5DO6floXYdbdEA762ST4IOrFA3l5fUoDLPX1T+Hl6aJy6zFOO5OpfjO5mj9n8sJaT5qJf
X-Received: by 2002:aa7:8311:: with SMTP id t17-v6mr9628523pfm.45.1528537963048;
        Sat, 09 Jun 2018 02:52:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528537963; cv=none;
        d=google.com; s=arc-20160816;
        b=xKlC3EV7BSQAvBRK9a3NvDWU4RG1jCtfgFe76i3iURfsmqvMdITyKbBQKj9QZsfHug
         ZaxjxPkkILbY4ngwV6OyT9/SakiLgxiluNQaVDOMnMjFYkDx01BCFH+7qVRiB9s2Typa
         bWIny5pcAAvDma9zoIZetm07DelnU9F8QdN6NUrQgmFuGPsHPmisXD1hewDFx7+xEQ5M
         UKW1cZ/PWv4gGaLrz80h3v3BcBjnN+VOult730HGe8xfv72oBnz6Um5dgG8mMSFRPiuK
         LMceHxMDr0Mr+WlZA7MVdQ4h0eomE17aNXXmLC7+xFhXP/4VL1eisCC4SVQL97CSiTow
         waVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=FTWZS4KgY753OVjMO8otMUWzFwQSVF4ET9YuhRMlzyQ=;
        b=dbHsPzZ5DyNYboGc2hus8uLcfPbxnxNWkdXJtQaBaeWgYmsZegGyGx4+ItDRuVKxPw
         Csw7Zi4qGns4vJkuSuRZiPVOGjIYNvK/JQGswN6X3IW60XmxT2E95BhnSB7qCEyz6/FE
         qhv7iaYBuTZe01kpIC3Sev41tTuUQLoU3NW7CehgK7MaOnb69qYQfmh8aEsymGtDdw42
         aK+s/D9Yi01wBFZiRlkJjEd1MF6PADyaexem5XrdmjOCb8kPVJqu1rLi8rbj4YP+L4/q
         y0rWswZAxxJnV9390/MCb4C+g0CjtDaipAPBE2HzCTyb+zB27aqKnhi//k21SN3Q5VRD
         gPaA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p25-v6si9301758pfn.131.2018.06.09.02.52.28;
        Sat, 09 Jun 2018 02:52:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753211AbeFIJwD (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Sat, 9 Jun 2018 05:52:03 -0400
Received: from mga14.intel.com ([192.55.52.115]:28350 "EHLO mga14.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751757AbeFIJwC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 9 Jun 2018 05:52:02 -0400
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Jun 2018 02:52:01 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,494,1520924400"; 
   d="scan'208";a="236009055"
Received: from cphenegh-mobl1.ger.corp.intel.com (HELO caravaggio) ([10.252.11.168])
  by fmsmga006.fm.intel.com with ESMTP; 09 Jun 2018 02:51:50 -0700
Date:   Sat, 9 Jun 2018 11:51:46 +0200
From:   Samuel Ortiz <sameo@linux.intel.com>
To:     Amit Pundir <amit.pundir@linaro.org>
Cc:     lkml <linux-kernel@vger.kernel.org>,
        linux-wireless@vger.kernel.org,
        Suren Baghdasaryan <surenb@google.com>,
        Christophe Ricard <christophe.ricard@gmail.com>,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
        Greg KH <gregkh@linuxfoundation.org>,
        John Stultz <john.stultz@linaro.org>,
        Dmitry Shmidt <dimitrysh@google.com>,
        Todd Kjos <tkjos@google.com>,
        Android Kernel Team <kernel-team@android.com>,
        Stable <stable@vger.kernel.org>
Subject: Re: [PATCH v3 1/4] NFC: st21nfca: Fix out of bounds kernel access
 when handling ATR_REQ
Message-ID: <20180609095146.GA25115@caravaggio.jf.intel.com>
References: <1525372736-25094-1-git-send-email-amit.pundir@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1525372736-25094-1-git-send-email-amit.pundir@linaro.org>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Amit,

On Fri, May 04, 2018 at 12:08:53AM +0530, Amit Pundir wrote:
> From: Suren Baghdasaryan <surenb@google.com>
> 
> Out of bounds kernel accesses in st21nfca's NFC HCI layer
> might happen when handling ATR_REQ events if user-specified
> atr_req->length is bigger than the buffer size. In
> that case memcpy() inside st21nfca_tm_send_atr_res() will
> read extra bytes resulting in OOB read from the kernel heap.
> 
> cc: Stable <stable@vger.kernel.org>
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
> ---
> v3..v1:
> Resend. No changes.
> 
>  drivers/nfc/st21nfca/dep.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
All 4 patches applied to nfc-next, thanks.

Cheers,
Samuel.