Return-path: Received: from mail-pf0-f193.google.com ([209.85.192.193]:43671 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750969AbeECSjC (ORCPT ); Thu, 3 May 2018 14:39:02 -0400 Received: by mail-pf0-f193.google.com with SMTP id j20so1096344pff.10 for ; Thu, 03 May 2018 11:39:02 -0700 (PDT) From: Amit Pundir To: lkml , linux-wireless@vger.kernel.org Cc: Suren Baghdasaryan , Samuel Ortiz , Christophe Ricard , Andy Shevchenko , Greg KH , John Stultz , Dmitry Shmidt , Todd Kjos , Android Kernel Team , Stable Subject: [PATCH v3 1/4] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ Date: Fri, 4 May 2018 00:08:53 +0530 Message-Id: <1525372736-25094-1-git-send-email-amit.pundir@linaro.org> (sfid-20180503_204016_906704_452FFF65) Sender: linux-wireless-owner@vger.kernel.org List-ID: From: Suren Baghdasaryan Out of bounds kernel accesses in st21nfca's NFC HCI layer might happen when handling ATR_REQ events if user-specified atr_req->length is bigger than the buffer size. In that case memcpy() inside st21nfca_tm_send_atr_res() will read extra bytes resulting in OOB read from the kernel heap. cc: Stable Signed-off-by: Suren Baghdasaryan Signed-off-by: Amit Pundir Reviewed-by: Andy Shevchenko --- v3..v1: Resend. No changes. drivers/nfc/st21nfca/dep.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c index fd08be2917e6..3420c5104c94 100644 --- a/drivers/nfc/st21nfca/dep.c +++ b/drivers/nfc/st21nfca/dep.c @@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, atr_req = (struct st21nfca_atr_req *)skb->data; - if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + if (atr_req->length < sizeof(struct st21nfca_atr_req) || + atr_req->length > skb->len) { r = -EPROTO; goto exit; } -- 2.7.4