From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 24 Mar 2022 12:51:08 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v4.9.309~69
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc58834eacaec42f6d288ab3ae09159b57bdcbe9;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch
---

diff --git a/queue-5.10/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch b/queue-5.10/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch
new file mode 100644
index 00000000000..0eb7dfc1026
--- /dev/null
+++ b/queue-5.10/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch
@@ -0,0 +1,48 @@
+From 4fbcc1a4cb20fe26ad0225679c536c80f1648221 Mon Sep 17 00:00:00 2001
+From: Jordy Zomer <jordy@pwning.systems>
+Date: Tue, 11 Jan 2022 17:44:51 +0100
+Subject: nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
+
+From: Jordy Zomer <jordy@pwning.systems>
+
+commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
+
+It appears that there are some buffer overflows in EVT_TRANSACTION.
+This happens because the length parameters that are passed to memcpy
+come directly from skb->data and are not guarded in any way.
+
+Signed-off-by: Jordy Zomer <jordy@pwning.systems>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/se.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -320,6 +320,11 @@ int st21nfca_connectivity_event_received
+ 			return -ENOMEM;
+ 
+ 		transaction->aid_len = skb->data[1];
++
++		/* Checking if the length of the AID is valid */
++		if (transaction->aid_len > sizeof(transaction->aid))
++			return -EINVAL;
++
+ 		memcpy(transaction->aid, &skb->data[2],
+ 		       transaction->aid_len);
+ 
+@@ -329,6 +334,11 @@ int st21nfca_connectivity_event_received
+ 			return -EPROTO;
+ 
+ 		transaction->params_len = skb->data[transaction->aid_len + 3];
++
++		/* Total size is allocated (skb->len - 2) minus fixed array members */
++		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
++			return -EINVAL;
++
+ 		memcpy(transaction->params, skb->data +
+ 		       transaction->aid_len + 4, transaction->params_len);
+ 
diff --git a/queue-5.10/series b/queue-5.10/series
index e69de29bb2d..1972e51d926 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -0,0 +1 @@
+nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch