From patchwork Wed Dec 20 19:51:21 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 10126487
X-Patchwork-Delegate: sameo@linux.intel.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	898906019C for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 20 Dec 2017 19:52:49 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7B13029895
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 20 Dec 2017 19:52:49 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6EDE3298AD; Wed, 20 Dec 2017 19:52:49 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7148729895
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 20 Dec 2017 19:52:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756581AbdLTTwq (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Wed, 20 Dec 2017 14:52:46 -0500
Received: from mail-pf0-f194.google.com ([209.85.192.194]:35636 "EHLO
	mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756207AbdLTTvf (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Wed, 20 Dec 2017 14:51:35 -0500
Received: by mail-pf0-f194.google.com with SMTP id j124so12995288pfc.2
	for <linux-wireless@vger.kernel.org>;
	Wed, 20 Dec 2017 11:51:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=BSvaSnSaUmVJ7Li8G5jPfvmWzxU8loCxeYaDdT0Atkw=;
	b=itw0DtiiAKKmK/MVZ+/FsvO5cVdilp0X89f54teCSZ8Ec5vJPsF3Xnv9sJHkZruK7P
	6fYCkPG5MA64oue0l9wik1hZ4MQxaQhxBRNZxqNDv8BWxS7isnDjjcAtiV/b7uNzjNqE
	7ij21vD9H/YWILrbRo2EZuFXTosFLv7qHhR3o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=BSvaSnSaUmVJ7Li8G5jPfvmWzxU8loCxeYaDdT0Atkw=;
	b=CD+rwnBQ7DvxC55o+MzI9mAn+Cu1wZCr/dW9iNDcNsNXxoeLqSzAQNXaYL/YIzsxzc
	dg/LaLV69+B8UbwcF1Rr/YjF8sG0lQtUnDq1RYVsw0GDUFeKqOipCT3I07it++093dFj
	gZVcgcAmBbguw7hk3iUfs78wrmyI7B6ML0IL/v4q91wC8hetBbGfKRel7yAmcCAncYMT
	zXH0OXlRgsWE4sKSQacLXtETv6Akaqhbjf6yh4sHmaBQo32e0cCN4UFTWH1BdNLZ8Pa5
	amuSDpt7J52rXB1ekX/KZV19gI8KwZ1YcI7Gpm0kwbjBnXt9x6LOxuIWcEg824vT5BM6
	mIng==
X-Gm-Message-State: AKGB3mIEO+2RHY4tGovoefHtWCw4PjJePqPMbAx5JO0UMzmt816HhwOO
	Q/UQFc17seoymPJcK4PykT78wA==
X-Google-Smtp-Source: 
 ACJfBotNGFe9hom02H5rKr1CG/16XgPa40PAnlLKGUZq2EDwBLJEZ2bgr8obTrfJBNdo/OzV3br37w==
X-Received: by 10.101.98.136 with SMTP id f8mr7204857pgv.366.1513799495117;
	Wed, 20 Dec 2017 11:51:35 -0800 (PST)
Received: from localhost.localdomain ([106.51.17.191])
	by smtp.gmail.com with ESMTPSA id
	g2sm36715867pfc.130.2017.12.20.11.51.31
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 20 Dec 2017 11:51:33 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: lkml <linux-kernel@vger.kernel.org>, linux-wireless@vger.kernel.org
Cc: Suren Baghdasaryan <surenb@google.com>,
	Samuel Ortiz <sameo@linux.intel.com>,
	Christophe Ricard <christophe.ricard@gmail.com>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	John Stultz <john.stultz@linaro.org>,
	Dmitry Shmidt <dimitrysh@google.com>, Todd Kjos <tkjos@google.com>,
	Android Kernel Team <kernel-team@android.com>
Subject: [RFC][PATCH 1/4] NFC: st21nfca: Fix out of bounds kernel access
	when handling ATR_REQ
Date: Thu, 21 Dec 2017 01:21:21 +0530
Message-Id: <1513799484-12505-2-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1513799484-12505-1-git-send-email-amit.pundir@linaro.org>
References: <1513799484-12505-1-git-send-email-amit.pundir@linaro.org>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Suren Baghdasaryan <surenb@google.com>

Out of bounds kernel accesses in st21nfca's NFC HCI layer
might happen when handling ATR_REQ events if user-specified
atr_req->length is bigger than the buffer size. In
that case memcpy() inside st21nfca_tm_send_atr_res() will
read extra bytes resulting in OOB read from the kernel heap.

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/nfc/st21nfca/dep.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c
index fd08be2917e6..3420c5104c94 100644
--- a/drivers/nfc/st21nfca/dep.c
+++ b/drivers/nfc/st21nfca/dep.c
@@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
 
 	atr_req = (struct st21nfca_atr_req *)skb->data;
 
-	if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+	if (atr_req->length < sizeof(struct st21nfca_atr_req) ||
+	    atr_req->length > skb->len) {
 		r = -EPROTO;
 		goto exit;
 	}