Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1777761imm; Thu, 27 Sep 2018 02:18:05 -0700 (PDT) X-Google-Smtp-Source: ACcGV63sphUlKWOyLjCZwicopDimdOS2Jxs56/gR950xCzTERc94qp/saO2OWifL9jQLUoYZfPoh X-Received: by 2002:a17:902:d881:: with SMTP id b1-v6mr10013879plz.191.1538039885637; Thu, 27 Sep 2018 02:18:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538039885; cv=none; d=google.com; s=arc-20160816; b=uBsBrqbRYGGW72uYCpqq2J4jBeubNxQfnkGNKT4UmJrKSrDHQClcBtKTyCDSqja9Jh YOCpio6iduCcT7acpWXc6NPEC0ep2W3KsGuGfAZlRo+Q+58OREgzlLhuPLBJHKXkVKcw 4lXrdmJepxWUyI+v9yOGLRsGIox8DH+sjJ2rDjW4SmIhJpTLLRoDmQ2i+QpfMCnCROE8 HtfFJmpC64W4zTZDlnwhToeAnUIxHjSLLXX633RUxiFa8MUWyAHjy0yPA6i5EjZQrt9w 3auK/e70CFWAMLq/pt54ecBPY449yKmH4ExHST32IxqpX3uoUGjVKCWhNttAIqP9AWvF +r6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=gBsE/Lq/t5I5udmL+XsEbb1ZLfetdRAuxPm11JxyZrw=; b=XJChSYdPjCY0kLPIFs88QZyLLF1Zy1anmJQk5UykpeKLsUTjG/Uuwr40OrAx4ZQT8Z cHSYa4ZNE2XWYrxMtlMmDFp++8E8YIZ5dEa8vqsc8zVFgN12/I353m256i8OJLZMBqPQ LnUr39GYbWVs1yoYZq7Ls1fX+AX7WgjQ6Tv/XkxHQbD/DzWpdeS4laP7xqOJlpN30hL3 6W8Ulo7sFVpBI1hk4qlF4ei1a2eTzN/6XkIfq5mp4uBbEM435toRm75s+Je+NV38uwDQ ViQwmXm9fwZBDvKNim249FHaU7/dVRFpvgiZCFg35Laxo8AnfrfAKzz5E1FDy5m895wX Xt+A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b27-v6si1489479pgb.156.2018.09.27.02.17.50; Thu, 27 Sep 2018 02:18:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728583AbeI0PeR (ORCPT + 99 others); Thu, 27 Sep 2018 11:34:17 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55936 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727417AbeI0PeQ (ORCPT ); Thu, 27 Sep 2018 11:34:16 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 019A01117; Thu, 27 Sep 2018 09:16:58 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Samuel Ortiz , Allen Pais , "David S. Miller" , Kevin Deus , Suren Baghdasaryan , Kees Cook Subject: [PATCH 4.14 14/64] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands Date: Thu, 27 Sep 2018 11:03:31 +0200 Message-Id: <20180927090251.655067908@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180927090249.801943776@linuxfoundation.org> References: <20180927090249.801943776@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Suren Baghdasaryan commit 674d9de02aa7d521ebdf66c3958758bdd9c64e11 upstream. When handling SHDLC I-Frame commands "pipe" field used for indexing into an array should be checked before usage. If left unchecked it might access memory outside of the array of size NFC_HCI_MAX_PIPES(127). Malformed NFC HCI frames could be injected by a malicious NFC device communicating with the device being attacked (remote attack vector), or even by an attacker with physical access to the I2C bus such that they could influence the data transfers on that bus (local attack vector). skb->data is controlled by the attacker and has only been sanitized in the most trivial ways (CRC check), therefore we can consider the create_info struct and all of its members to tainted. 'create_info->pipe' with max value of 255 (uint8) is used to take an offset of the hdev->pipes array of 127 elements which can lead to OOB write. Cc: Samuel Ortiz Cc: Allen Pais Cc: "David S. Miller" Suggested-by: Kevin Deus Signed-off-by: Suren Baghdasaryan Acked-by: Kees Cook Cc: stable Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/nfc/hci/core.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/nfc/hci/core.c +++ b/net/nfc/hci/core.c @@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci } create_info = (struct hci_create_pipe_resp *)skb->data; + if (create_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + /* Save the new created pipe and bind with local gate, * the description for skb->data[3] is destination gate id * but since we received this cmd from host controller, we @@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci } delete_info = (struct hci_delete_pipe_noti *)skb->data; + if (delete_info->pipe >= NFC_HCI_MAX_PIPES) { + status = NFC_HCI_ANY_E_NOK; + goto exit; + } + hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE; hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST; break;