From ad3b2549e95625c77de996b2021c6d403b8e6f17 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 24 Mar 2022 13:51:20 +0100
Subject: [PATCH] 5.4-stable patches

added patches:
	nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch
---
 ...-buffer-overflows-in-evt_transaction.patch | 48 +++++++++++++++++++
 queue-5.4/series                              |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 queue-5.4/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch

diff --git a/queue-5.4/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch b/queue-5.4/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch
new file mode 100644
index 00000000000..b235a8e45c4
--- /dev/null
+++ b/queue-5.4/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch
@@ -0,0 +1,48 @@
+From 4fbcc1a4cb20fe26ad0225679c536c80f1648221 Mon Sep 17 00:00:00 2001
+From: Jordy Zomer <jordy@pwning.systems>
+Date: Tue, 11 Jan 2022 17:44:51 +0100
+Subject: nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
+
+From: Jordy Zomer <jordy@pwning.systems>
+
+commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
+
+It appears that there are some buffer overflows in EVT_TRANSACTION.
+This happens because the length parameters that are passed to memcpy
+come directly from skb->data and are not guarded in any way.
+
+Signed-off-by: Jordy Zomer <jordy@pwning.systems>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/se.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -321,6 +321,11 @@ int st21nfca_connectivity_event_received
+ 			return -ENOMEM;
+ 
+ 		transaction->aid_len = skb->data[1];
++
++		/* Checking if the length of the AID is valid */
++		if (transaction->aid_len > sizeof(transaction->aid))
++			return -EINVAL;
++
+ 		memcpy(transaction->aid, &skb->data[2],
+ 		       transaction->aid_len);
+ 
+@@ -330,6 +335,11 @@ int st21nfca_connectivity_event_received
+ 			return -EPROTO;
+ 
+ 		transaction->params_len = skb->data[transaction->aid_len + 3];
++
++		/* Total size is allocated (skb->len - 2) minus fixed array members */
++		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
++			return -EINVAL;
++
+ 		memcpy(transaction->params, skb->data +
+ 		       transaction->aid_len + 4, transaction->params_len);
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index e03208008df..9b3910aaa24 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -1,2 +1,3 @@
 nfsd-cleanup-nfsd_file_lru_dispose.patch
 nfsd-containerise-filecache-laundrette.patch
+nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch
-- 
2.47.3