releases/5.10.109/nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 4fbcc1a4cb20fe26ad0225679c536c80f1648221 Mon Sep 17 00:00:00 2001
 From: Jordy Zomer <jordy@pwning.systems>
 Date: Tue, 11 Jan 2022 17:44:51 +0100
 Subject: nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION

 From: Jordy Zomer <jordy@pwning.systems>

 commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.

 It appears that there are some buffer overflows in EVT_TRANSACTION.
 This happens because the length parameters that are passed to memcpy
 come directly from skb->data and are not guarded in any way.

 Signed-off-by: Jordy Zomer <jordy@pwning.systems>
 Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/nfc/st21nfca/se.c |   10 ++++++++++
  1 file changed, 10 insertions(+)

 --- a/drivers/nfc/st21nfca/se.c
 +++ b/drivers/nfc/st21nfca/se.c
 @@ -320,6 +320,11 @@ int st21nfca_connectivity_event_received
  			return -ENOMEM;

  		transaction->aid_len = skb->data[1];
 +
 +		/* Checking if the length of the AID is valid */
 +		if (transaction->aid_len > sizeof(transaction->aid))
 +			return -EINVAL;
 +
  		memcpy(transaction->aid, &skb->data[2],
  		       transaction->aid_len);

 @@ -329,6 +334,11 @@ int st21nfca_connectivity_event_received
  			return -EPROTO;

  		transaction->params_len = skb->data[transaction->aid_len + 3];
 +
 +		/* Total size is allocated (skb->len - 2) minus fixed array members */
 +		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
 +			return -EINVAL;
 +
  		memcpy(transaction->params, skb->data +
  		       transaction->aid_len + 4, transaction->params_len);
	From 4fbcc1a4cb20fe26ad0225679c536c80f1648221 Mon Sep 17 00:00:00 2001
	From: Jordy Zomer <jordy@pwning.systems>
	Date: Tue, 11 Jan 2022 17:44:51 +0100
	Subject: nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION

	From: Jordy Zomer <jordy@pwning.systems>

	commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.

	It appears that there are some buffer overflows in EVT_TRANSACTION.
	This happens because the length parameters that are passed to memcpy
	come directly from skb->data and are not guarded in any way.

	Signed-off-by: Jordy Zomer <jordy@pwning.systems>
	Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/nfc/st21nfca/se.c \| 10 ++++++++++
	1 file changed, 10 insertions(+)

	--- a/drivers/nfc/st21nfca/se.c
	+++ b/drivers/nfc/st21nfca/se.c
	@@ -320,6 +320,11 @@ int st21nfca_connectivity_event_received
	return -ENOMEM;

	transaction->aid_len = skb->data[1];
	+
	+ /* Checking if the length of the AID is valid */
	+ if (transaction->aid_len > sizeof(transaction->aid))
	+ return -EINVAL;
	+
	memcpy(transaction->aid, &skb->data[2],
	transaction->aid_len);

	@@ -329,6 +334,11 @@ int st21nfca_connectivity_event_received
	return -EPROTO;

	transaction->params_len = skb->data[transaction->aid_len + 3];
	+
	+ /* Total size is allocated (skb->len - 2) minus fixed array members */
	+ if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
	+ return -EINVAL;
	+
	memcpy(transaction->params, skb->data +
	transaction->aid_len + 4, transaction->params_len);