5.4-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 24 Mar 2022 12:51:20 +0000 (13:51 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 24 Mar 2022 12:51:20 +0000 (13:51 +0100)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 24 Mar 2022 12:51:20 +0000 (13:51 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 24 Mar 2022 12:51:20 +0000 (13:51 +0100)
diff --git a/queue-5.4/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch b/queue-5.4/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch

new file mode 100644 (file)

index 0000000..b235a8e
--- /dev/null
+++ b/queue-5.4/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch
@@ -0,0 +1,48 @@
+From 4fbcc1a4cb20fe26ad0225679c536c80f1648221 Mon Sep 17 00:00:00 2001
+From: Jordy Zomer <jordy@pwning.systems>
+Date: Tue, 11 Jan 2022 17:44:51 +0100
+Subject: nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
+
+From: Jordy Zomer <jordy@pwning.systems>
+
+commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
+
+It appears that there are some buffer overflows in EVT_TRANSACTION.
+This happens because the length parameters that are passed to memcpy
+come directly from skb->data and are not guarded in any way.
+
+Signed-off-by: Jordy Zomer <jordy@pwning.systems>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/se.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -321,6 +321,11 @@ int st21nfca_connectivity_event_received
+                       return -ENOMEM;
+ 
+               transaction->aid_len = skb->data[1];
++
++              /* Checking if the length of the AID is valid */
++              if (transaction->aid_len > sizeof(transaction->aid))
++                      return -EINVAL;
++
+               memcpy(transaction->aid, &skb->data[2],
+                      transaction->aid_len);
+ 
+@@ -330,6 +335,11 @@ int st21nfca_connectivity_event_received
+                       return -EPROTO;
+ 
+               transaction->params_len = skb->data[transaction->aid_len + 3];
++
++              /* Total size is allocated (skb->len - 2) minus fixed array members */
++              if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
++                      return -EINVAL;
++
+               memcpy(transaction->params, skb->data +
+                      transaction->aid_len + 4, transaction->params_len);
+ 
diff --git a/queue-5.4/series b/queue-5.4/series

index e03208008df03da9b646824d45a83cc352237e08..9b3910aaa247d5a7e96dba994c4069038697f156 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -1,2 +1,3 @@
  nfsd-cleanup-nfsd_file_lru_dispose.patch
  nfsd-containerise-filecache-laundrette.patch
+nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 24 Mar 2022 12:51:20 +0000 (13:51 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 24 Mar 2022 12:51:20 +0000 (13:51 +0100)
queue-5.4/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch	[new file with mode: 0644]	patch \| blob
queue-5.4/series		patch \| blob \| blame \| history