[net-next] nfc: pn533: prevent potential memory corruption

Message ID	YGcDqkN1v/NVZA9z@mwanda (mailing list archive)
State	Accepted
Commit	ca4d4c34ae9aa5c3c0da76662c5e549d2fc0cc86
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> Date: Fri, 2 Apr 2021 14:44:42 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Jakub Kicinski <kuba@kernel.org>, Samuel Ortiz <sameo@linux.intel.com> Cc: Jakub Kicinski <kuba@kernel.org>, "John W. Linville" <linville@tuxdriver.com>, netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH net-next] nfc: pn533: prevent potential memory corruption Message-ID: <YGcDqkN1v/NVZA9z@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk
Series	[net-next] nfc: pn533: prevent potential memory corruption \| expand [net-next] nfc: pn533: prevent potential memory corruption

Message ID

YGcDqkN1v/NVZA9z@mwanda (mailing list archive)

State

Accepted

Commit

ca4d4c34ae9aa5c3c0da76662c5e549d2fc0cc86

Delegated to:

Netdev Maintainers

Headers

show

Return-Path: <netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	UNPARSEABLE_RELAY autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 77595C433ED
	for <netdev@archiver.kernel.org>; Fri,  2 Apr 2021 11:45:26 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 3EC2B610D2
	for <netdev@archiver.kernel.org>; Fri,  2 Apr 2021 11:45:26 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235200AbhDBLp0 (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Fri, 2 Apr 2021 07:45:26 -0400
Received: from aserp2120.oracle.com ([141.146.126.78]:49428 "EHLO
        aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229722AbhDBLpY (ORCPT
        <rfc822;netdev@vger.kernel.org>); Fri, 2 Apr 2021 07:45:24 -0400
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1])
        by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id
 132BdrLH134594;
        Fri, 2 Apr 2021 11:44:53 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
 h=date : from : to : cc
 : subject : message-id : mime-version : content-type; s=corp-2020-01-29;
 bh=/hVKKBXs7Xaa9Z4zApQwuQO2S1qguLAABlgQIBFeKI4=;
 b=em0bNNnM3cO3uVW3NDuNU2QN9YFO+JomY7MQnVQWO9XLr7NsEEPDHWXUePpbuz+ObBhb
 ybYy5NNHM6cToHDtOgK/T2dbMc0MM1b/7zbVZzgO6wzD3XDmjdYAggLHFKHBX+pJyn8A
 IdujvybkCjuN1HvW7xH2Ww24q/VQI9FWJMaVtbHpmnPrCs942ou0RkrYvYexFjtaDTo9
 78E490FwKF5cZxGBanjTC4DvE+PJmOwOuHlnz6+/KgTacT1VDhTW2oUoLV24y+Uq/a4G
 ieJvmaTkWTfgJGdah1wI6vwG6mZFRnDUyWYBZmIAi8YvrQRWvGUGa9S52JF2k1zu1gAb 4A==
Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79])
        by aserp2120.oracle.com with ESMTP id 37n2akmgkk-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=OK);
        Fri, 02 Apr 2021 11:44:53 +0000
Received: from pps.filterd (userp3020.oracle.com [127.0.0.1])
        by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id
 132Beleu164353;
        Fri, 2 Apr 2021 11:44:51 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75])
        by userp3020.oracle.com with ESMTP id 37n2pbp4bj-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=OK);
        Fri, 02 Apr 2021 11:44:51 +0000
Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14])
        by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 132Bin5u002981;
        Fri, 2 Apr 2021 11:44:49 GMT
Received: from mwanda (/102.36.221.92)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Fri, 02 Apr 2021 04:44:48 -0700
Date: Fri, 2 Apr 2021 14:44:42 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jakub Kicinski <kuba@kernel.org>,
        Samuel Ortiz <sameo@linux.intel.com>
Cc: Jakub Kicinski <kuba@kernel.org>,
        "John W. Linville" <linville@tuxdriver.com>,
        netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH net-next] nfc: pn533: prevent potential memory corruption
Message-ID: <YGcDqkN1v/NVZA9z@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Mailer: git-send-email haha only kidding
X-Proofpoint-IMR: 1
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9941
 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0
 mlxlogscore=999
 adultscore=0 bulkscore=0 mlxscore=0 spamscore=0 malwarescore=0
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2103310000 definitions=main-2104020086
X-Proofpoint-ORIG-GUID: MamheoFcieL_Glcrj2BvBQ3QB6vRdxjt
X-Proofpoint-GUID: MamheoFcieL_Glcrj2BvBQ3QB6vRdxjt
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9941
 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0
 impostorscore=0 phishscore=0
 bulkscore=0 adultscore=0 clxscore=1011 malwarescore=0 priorityscore=1501
 suspectscore=0 spamscore=0 mlxlogscore=999 lowpriorityscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2103310000
 definitions=main-2104020086
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
X-Patchwork-Delegate: kuba@kernel.org

Series

[net-next] nfc: pn533: prevent potential memory corruption | expand

Checks

Context	Check	Description
netdev/cover_letter	success	Link
netdev/fixes_present	success	Link
netdev/patch_count	success	Link
netdev/tree_selection	success	Clearly marked for net-next
netdev/subject_prefix	success	Link
netdev/cc_maintainers	warning	2 maintainers not CCed: wengjianfeng@yulong.com gustavoars@kernel.org
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Link
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 2 this patch: 2
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/verify_fixes	success	Link
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_allmodconfig_warn	success	Errors and warnings before: 2 this patch: 2
netdev/header_inline	success	Link

Context

Check

Description

netdev/cover_letter

success

Link

netdev/fixes_present

success

Link

netdev/patch_count

success

Link

netdev/tree_selection

success

Clearly marked for net-next

netdev/subject_prefix

success

Link

netdev/cc_maintainers

warning

2 maintainers not CCed: wengjianfeng@yulong.com gustavoars@kernel.org

netdev/source_inline

success

Was 0 now: 0

netdev/verify_signedoff

success

Link

netdev/module_param

success

Was 0 now: 0

netdev/build_32bit

success

Errors and warnings before: 2 this patch: 2

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/verify_fixes

success

Link

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 9 lines checked

netdev/build_allmodconfig_warn

success

Errors and warnings before: 2 this patch: 2

netdev/header_inline

success

Link

Commit Message

Dan Carpenter April 2, 2021, 11:44 a.m. UTC

If the "type_a->nfcid_len" is too large then it would lead to memory
corruption in pn533_target_found_type_a() when we do:

	memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);

Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/nfc/pn533/pn533.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org April 2, 2021, 9:30 p.m. UTC | #1

Hello:

This patch was applied to netdev/net-next.git (refs/heads/master):

On Fri, 2 Apr 2021 14:44:42 +0300 you wrote:
> If the "type_a->nfcid_len" is too large then it would lead to memory
> corruption in pn533_target_found_type_a() when we do:
> 
> 	memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);
> 
> Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> [...]

Here is the summary with links:
  - [net-next] nfc: pn533: prevent potential memory corruption
    https://git.kernel.org/netdev/net-next/c/ca4d4c34ae9a

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index f1469ac8ff42..3fe5b81eda2d 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -706,6 +706,9 @@  static bool pn533_target_type_a_is_valid(struct pn533_target_type_a *type_a,
 	if (PN533_TYPE_A_SEL_CASCADE(type_a->sel_res) != 0)
 		return false;
 
+	if (type_a->nfcid_len > NFC_NFCID1_MAXSIZE)
+		return false;
+
 	return true;
 }