Re: [PATCH v3 1/4] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ

From: Samuel Ortiz
Date: Sat Jun 09 2018 - 05:52:10 EST

Next message: kbuild test robot: "Re: [PATCH v3 03/10] PCI: Update xxx_pcie_ep_raise_irq() and pci_epc_raise_irq() signatures"
Previous message: Udo van den Heuvel: "4.16.14: kernel tried to execute NX-protected page [after USB device went to charging state]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Amit,

On Fri, May 04, 2018 at 12:08:53AM +0530, Amit Pundir wrote:
> From: Suren Baghdasaryan <surenb@xxxxxxxxxx>
>
> Out of bounds kernel accesses in st21nfca's NFC HCI layer
> might happen when handling ATR_REQ events if user-specified
> atr_req->length is bigger than the buffer size. In
> that case memcpy() inside st21nfca_tm_send_atr_res() will
> read extra bytes resulting in OOB read from the kernel heap.
>
> cc: Stable <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Suren Baghdasaryan <surenb@xxxxxxxxxx>
> Signed-off-by: Amit Pundir <amit.pundir@xxxxxxxxxx>
> Reviewed-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
> ---
> v3..v1:
> Resend. No changes.
>
> drivers/nfc/st21nfca/dep.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
All 4 patches applied to nfc-next, thanks.

Cheers,
Samuel.

Next message: kbuild test robot: "Re: [PATCH v3 03/10] PCI: Update xxx_pcie_ep_raise_irq() and pci_epc_raise_irq() signatures"
Previous message: Udo van den Heuvel: "4.16.14: kernel tried to execute NX-protected page [after USB device went to charging state]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]