Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1770085imm; Thu, 27 Sep 2018 02:09:24 -0700 (PDT) X-Google-Smtp-Source: ACcGV60Fz6PoCeoe6xkJofRMmLmE5CIt7y5o+jQ/+fxXatEkb2yv3H/hejcO/8F2j56yvSwscbQh X-Received: by 2002:a63:4e11:: with SMTP id c17-v6mr9198767pgb.6.1538039364156; Thu, 27 Sep 2018 02:09:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538039364; cv=none; d=google.com; s=arc-20160816; b=j9p1Hqd6AnKmWfL5K2kw4p2/KB7E59RD1pygNQrVwl7SYz4pImrzO/Vcd1mQfdMPgA dqZAlD8y4rKGvn/zTpr4+EA8gAnVdM8jzrldXmwzbX+NxkkyERSpArcgS14/hYbFZWaW x6TOaIes3KhluLgAHA+G8hJmO68hqq9UMSbhT8cKDFMIgIn7DYsSnFFqwqWQRZRIPbsZ /9RcEVTnwKUKQfty7RW4jdx5q5XQinnmE9qJMsDTnVRuuReLOsQkews3C51KL3wAZQJ6 S4xq4Ji9I41+6TTC4P7E5rgDVnWMimqms35ciUw0hsXeAIw90dkoeOQDA2lv/Z15IeRB x0Bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=eJoxGjUeZEtJ7stX8S1xnYuxvVKpO2heyrfkyj1yqbc=; b=SCeXPN+4KBOR2XP2Jf98THtLY3fc//mepHgxqu4aqSkyyRkmkds22XClPv0ucSs+DM FYOBOrbCOJOqaeqpB/W/rwCDZ16twv/1R/8IkM/5KVtRdGR1tsRrSv+JWiHZSqzACcIw fcE9SU541onan3C50UzDh9EqNFVzVJnPjso5sB9h5re7JOth6cVKoxPY46qmrCKKPbmZ L9PgpsVSnY7aKC+HTYRdSepEwEtTEbs0Ki8WgW5q9F4Ins1vIvsQNsi0Kfi/SZ47dBKb 5O7un3y+X8lMtQ8G63XrQt5XqBefJANUL+FGXRpORtSlkWgx52Zu14BSoO1vF6LgCWw6 +dTg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f2-v6si1438593pgh.661.2018.09.27.02.09.08; Thu, 27 Sep 2018 02:09:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727958AbeI0PZl (ORCPT + 99 others); Thu, 27 Sep 2018 11:25:41 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:54948 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727020AbeI0PZk (ORCPT ); Thu, 27 Sep 2018 11:25:40 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7871210A4; Thu, 27 Sep 2018 09:08:25 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Samuel Ortiz , Allen Pais , "David S. Miller" , Kevin Deus , Suren Baghdasaryan , Kees Cook Subject: [PATCH 4.18 23/88] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands Date: Thu, 27 Sep 2018 11:03:04 +0200 Message-Id: <20180927090303.358724477@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180927090300.631426620@linuxfoundation.org> References: <20180927090300.631426620@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Suren Baghdasaryan commit 674d9de02aa7d521ebdf66c3958758bdd9c64e11 upstream. When handling SHDLC I-Frame commands "pipe" field used for indexing into an array should be checked before usage. If left unchecked it might access memory outside of the array of size NFC_HCI_MAX_PIPES(127). Malformed NFC HCI frames could be injected by a malicious NFC device communicating with the device being attacked (remote attack vector), or even by an attacker with physical access to the I2C bus such that they could influence the data transfers on that bus (local attack vector). skb->data is controlled by the attacker and has only been sanitized in the most trivial ways (CRC check), therefore we can consider the create_info struct and all of its members to tainted. 'create_info->pipe' with max value of 255 (uint8) is used to take an offset of the hdev->pipes array of 127 elements which can lead to OOB write. Cc: Samuel Ortiz Cc: Allen Pais Cc: "David S. Miller" Suggested-by: Kevin Deus Signed-off-by: Suren Baghdasaryan Acked-by: Kees Cook Cc: stable Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/nfc/hci/core.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/nfc/hci/core.c +++ b/net/nfc/hci/core.c @@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci } create_info = (struct hci_create_pipe_resp *)skb->data; + if (create_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + /* Save the new created pipe and bind with local gate, * the description for skb->data[3] is destination gate id * but since we received this cmd from host controller, we @@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci } delete_info = (struct hci_delete_pipe_noti *)skb->data; + if (delete_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE; hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST; break;