[thirdparty/kernel/stable-queue.git] / releases / 4.18.11 / nfc-fix-the-number-of-pipes.patch

From e285d5bfb7e9785d289663baef252dd315e171f8 Mon Sep 17 00:00:00 2001
From: Suren Baghdasaryan <surenb@google.com>
Date: Mon, 17 Sep 2018 15:51:41 +0200
Subject: NFC: Fix the number of pipes

From: Suren Baghdasaryan <surenb@google.com>

commit e285d5bfb7e9785d289663baef252dd315e171f8 upstream.

According to ETSI TS 102 622 specification chapter 4.4 pipe identifier
is 7 bits long which allows for 128 unique pipe IDs. Because
NFC_HCI_MAX_PIPES is used as the number of pipes supported and not
as the max pipe ID, its value should be 128 instead of 127.

nfc_hci_recv_from_llc extracts pipe ID from packet header using
NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127.
Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With
pipes array having only 127 elements and pipe ID of 127 the OOB memory
access will result.

Cc: Samuel Ortiz <sameo@linux.intel.com>
Cc: Allen Pais <allen.pais@oracle.com>
Cc: "David S. Miller" <davem@davemloft.net>
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/net/nfc/hci.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/net/nfc/hci.h
+++ b/include/net/nfc/hci.h
@@ -87,7 +87,7 @@ struct nfc_hci_pipe {
  * According to specification 102 622 chapter 4.4 Pipes,
  * the pipe identifier is 7 bits long.
  */
-#define NFC_HCI_MAX_PIPES		127
+#define NFC_HCI_MAX_PIPES		128
 struct nfc_hci_init_data {
 	u8 gate_count;
 	struct nfc_hci_gate gates[NFC_HCI_MAX_CUSTOM_GATES];
Commit	Line	Data
f19546a9 GKH	1	From e285d5bfb7e9785d289663baef252dd315e171f8 Mon Sep 17 00:00:00 2001
	2	From: Suren Baghdasaryan <surenb@google.com>
	3	Date: Mon, 17 Sep 2018 15:51:41 +0200
	4	Subject: NFC: Fix the number of pipes
	5
	6	From: Suren Baghdasaryan <surenb@google.com>
	7
	8	commit e285d5bfb7e9785d289663baef252dd315e171f8 upstream.
	9
	10	According to ETSI TS 102 622 specification chapter 4.4 pipe identifier
	11	is 7 bits long which allows for 128 unique pipe IDs. Because
	12	NFC_HCI_MAX_PIPES is used as the number of pipes supported and not
	13	as the max pipe ID, its value should be 128 instead of 127.
	14
	15	nfc_hci_recv_from_llc extracts pipe ID from packet header using
	16	NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127.
	17	Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With
	18	pipes array having only 127 elements and pipe ID of 127 the OOB memory
	19	access will result.
	20
	21	Cc: Samuel Ortiz <sameo@linux.intel.com>
	22	Cc: Allen Pais <allen.pais@oracle.com>
	23	Cc: "David S. Miller" <davem@davemloft.net>
	24	Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
	25	Signed-off-by: Suren Baghdasaryan <surenb@google.com>
	26	Reviewed-by: Kees Cook <keescook@chromium.org>
	27	Cc: stable <stable@vger.kernel.org>
	28	Signed-off-by: David S. Miller <davem@davemloft.net>
	29	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	30
	31	---
	32	include/net/nfc/hci.h \| 2 +-
	33	1 file changed, 1 insertion(+), 1 deletion(-)
	34
	35	--- a/include/net/nfc/hci.h
	36	+++ b/include/net/nfc/hci.h
	37	@@ -87,7 +87,7 @@ struct nfc_hci_pipe {
	38	* According to specification 102 622 chapter 4.4 Pipes,
	39	* the pipe identifier is 7 bits long.
	40	*/
	41	-#define NFC_HCI_MAX_PIPES 127
	42	+#define NFC_HCI_MAX_PIPES 128
	43	struct nfc_hci_init_data {
	44	u8 gate_count;
	45	struct nfc_hci_gate gates[NFC_HCI_MAX_CUSTOM_GATES];