Return-path: Received: from mail-pg0-f67.google.com ([74.125.83.67]:36800 "EHLO mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751763AbeEBRsT (ORCPT ); Wed, 2 May 2018 13:48:19 -0400 Received: by mail-pg0-f67.google.com with SMTP id z129-v6so6985464pgz.3 for ; Wed, 02 May 2018 10:48:19 -0700 (PDT) From: Amit Pundir To: lkml , linux-wireless@vger.kernel.org Cc: Suren Baghdasaryan , Samuel Ortiz , Christophe Ricard , Andy Shevchenko , Greg KH , John Stultz , Dmitry Shmidt , Todd Kjos , Android Kernel Team Subject: [PATCH v2 1/3] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ Date: Wed, 2 May 2018 23:18:06 +0530 Message-Id: <1525283288-7027-2-git-send-email-amit.pundir@linaro.org> (sfid-20180502_195016_793614_BE21C997) In-Reply-To: <1525283288-7027-1-git-send-email-amit.pundir@linaro.org> References: <1525283288-7027-1-git-send-email-amit.pundir@linaro.org> Sender: linux-wireless-owner@vger.kernel.org List-ID: From: Suren Baghdasaryan Out of bounds kernel accesses in st21nfca's NFC HCI layer might happen when handling ATR_REQ events if user-specified atr_req->length is bigger than the buffer size. In that case memcpy() inside st21nfca_tm_send_atr_res() will read extra bytes resulting in OOB read from the kernel heap. Signed-off-by: Suren Baghdasaryan Signed-off-by: Amit Pundir --- v2: Resend. No changes. drivers/nfc/st21nfca/dep.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c index fd08be2..3420c51 100644 --- a/drivers/nfc/st21nfca/dep.c +++ b/drivers/nfc/st21nfca/dep.c @@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, atr_req = (struct st21nfca_atr_req *)skb->data; - if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + if (atr_req->length < sizeof(struct st21nfca_atr_req) || + atr_req->length > skb->len) { r = -EPROTO; goto exit; } -- 2.7.4