]>
Commit | Line | Data |
---|---|---|
f19546a9 GKH |
1 | From 674d9de02aa7d521ebdf66c3958758bdd9c64e11 Mon Sep 17 00:00:00 2001 |
2 | From: Suren Baghdasaryan <surenb@google.com> | |
3 | Date: Mon, 17 Sep 2018 15:51:40 +0200 | |
4 | Subject: NFC: Fix possible memory corruption when handling SHDLC I-Frame commands | |
5 | ||
6 | From: Suren Baghdasaryan <surenb@google.com> | |
7 | ||
8 | commit 674d9de02aa7d521ebdf66c3958758bdd9c64e11 upstream. | |
9 | ||
10 | When handling SHDLC I-Frame commands "pipe" field used for indexing | |
11 | into an array should be checked before usage. If left unchecked it | |
12 | might access memory outside of the array of size NFC_HCI_MAX_PIPES(127). | |
13 | ||
14 | Malformed NFC HCI frames could be injected by a malicious NFC device | |
15 | communicating with the device being attacked (remote attack vector), | |
16 | or even by an attacker with physical access to the I2C bus such that | |
17 | they could influence the data transfers on that bus (local attack vector). | |
18 | skb->data is controlled by the attacker and has only been sanitized in | |
19 | the most trivial ways (CRC check), therefore we can consider the | |
20 | create_info struct and all of its members to tainted. 'create_info->pipe' | |
21 | with max value of 255 (uint8) is used to take an offset of the | |
22 | hdev->pipes array of 127 elements which can lead to OOB write. | |
23 | ||
24 | Cc: Samuel Ortiz <sameo@linux.intel.com> | |
25 | Cc: Allen Pais <allen.pais@oracle.com> | |
26 | Cc: "David S. Miller" <davem@davemloft.net> | |
27 | Suggested-by: Kevin Deus <kdeus@google.com> | |
28 | Signed-off-by: Suren Baghdasaryan <surenb@google.com> | |
29 | Acked-by: Kees Cook <keescook@chromium.org> | |
30 | Cc: stable <stable@vger.kernel.org> | |
31 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
32 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
33 | ||
34 | --- | |
35 | net/nfc/hci/core.c | 10 ++++++++++ | |
36 | 1 file changed, 10 insertions(+) | |
37 | ||
38 | --- a/net/nfc/hci/core.c | |
39 | +++ b/net/nfc/hci/core.c | |
40 | @@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci | |
41 | } | |
42 | create_info = (struct hci_create_pipe_resp *)skb->data; | |
43 | ||
44 | + if (create_info->pipe >= NFC_HCI_MAX_PIPES) { | |
45 | + status = NFC_HCI_ANY_E_NOK; | |
46 | + goto exit; | |
47 | + } | |
48 | + | |
49 | /* Save the new created pipe and bind with local gate, | |
50 | * the description for skb->data[3] is destination gate id | |
51 | * but since we received this cmd from host controller, we | |
52 | @@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci | |
53 | } | |
54 | delete_info = (struct hci_delete_pipe_noti *)skb->data; | |
55 | ||
56 | + if (delete_info->pipe >= NFC_HCI_MAX_PIPES) { | |
57 | + status = NFC_HCI_ANY_E_NOK; | |
58 | + goto exit; | |
59 | + } | |
60 | + | |
61 | hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE; | |
62 | hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST; | |
63 | break; |